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Abstract 

Standard abstract model checking relies on abstract Rripke structures which approximate concrete 
models by gluing together indistinguishable states, namely by a partition of the concrete state space. 
Strong preservation for a specification language _Sf encodes the equivalence of concrete and abstract 
model checking of formulas in _£? . We show how abstract interpretation can be used to design abstract 
models that are more general than abstract Kripke structures. Accordingly, strong preservation is gen- 
eralized to abstract interpretation-based models and precisely related to the concept of completeness in 
abstract interpretation. The problem of minimally refining an abstract model in order to make it strongly 
preserving for some language _£? can be formulated as a minimal domain refinement in abstract interpre- 
tation in order to get completeness w.r.t. the logical/temporal operators of Jzf . It turns out that this refined 
strongly preserving abstract model always exists and can be characterized as a greatest fixed point. As 
a consequence, some well-known behavioural equivalences, like bisimulation, simulation and stuttering, 
and their corresponding partition refinement algorithms can be elegantly characterized in abstract inter- 
pretation as completeness properties and refinements. 

Keywords: Abstract interpretation, abstract model checking, strong preservation, completeness, refine- 
ment, behavioural equivalence. 

1 Introduction 

The design of an abstract model checking framework always includes a preservation result, roughly stating 
that for any formula ip specified in some temporal language Jz? , if ip holds on an abstract model then tp 
also holds on the concrete model. On the other hand, strong preservation means that a formula of Jz? holds 
on an abstract model if and only if it holds on the concrete model. Strong preservation is highly desirable 
since it allows to draw consequences from negative answers on the abstract side [10]. 

Generalized Strong Preservation. The relationship between abstract interpretation and abstract model 
checking has been the subject of a number of works (see e.g. [9, 11, 16, 17, 19, 20, 28, 39, 40, 41, 43, 47]). 
This paper follows the standard abstract interpretation approach [13, 14] where abstract domains are speci- 
fied by Galois connections, namely pairs of abstraction and concretization maps ah/. We deal with generic 
(temporal) languages Jz? of state formulae that are inductively generated by some given sets of atomic 
propositions and operators. The interpretation p of atomic propositions p £ AP as subsets of States and 
of operators / £ Op as mappings / on p(States) is determined by a suitable semantic structure S, e.g. a 
Kripke structure, so that the concrete semantics [</?]s £ p(States) of a formula ip £ Jz? is the set of states 
making ip true w.r.t. S. Abstract semantics can be systematically defined by standard abstract interpreta- 
tion. The powerset p(States) plays the role of concrete semantic domain so that abstract domains range 
in AbsDom(p(States)). Any abstract domain A £ AbsDom(p(States)) induces an abstract semantic 
structure S A where atoms p are abstracted to a(p) and operators / are interpreted as best correct approxi- 
mations on A, that is a o / o 7. Thus, A determines an abstract semantics ftpj $ £ A that evaluates formulae 
ip £ Jzf in the abstract domain A. 

It turns out that this approach generalizes standard abstract model checking [9, 10]. Given a Kripke 
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structure K, = (States,— >) (for simplicity we omit here a labeling function for atomic propositions), a 
standard abstract model is specified as an abstract Kripke structure A = (AStates,^) where the set 
AStates of abstract states is defined by a surjective map h : States — > AStates. Thus, AStates deter- 
mines a partition of States and vice versa. It turns out that state partitions are particular abstract domains. 
In fact, the lattice of partitions of States is an abstract interpretation of the lattice of abstract domains 
AbsDom(p(States)) so that the abstract state space AStates corresponds to a particular abstract domain 
ad(AStates) £ AbsDom(p(States)) . Abstract domains that can be derived from a state partition are 
called partitioning. The interpretation of the language _Sf w.r.t. the abstract Kripke structure A determines 
an abstract semantic function \<p\a £ AStates. The abstract Kripke structure A strongly preserves Jzf 
when for any ip £ Jzf and s £ States, it turns out that h(s) £ ftp} a ^ s£ Ifiic- 

Strong preservation can then be generalized from standard abstract models to abstract interpretation- 
based models. Given a generalized abstract model A £ AbsDom(p(States)), the induced abstract seman- 
tics l-Jg is strongly preserving for Jzf when for any tp £ Jzf and S £ p(States), a(S) <a I'pJs ^ S £ 
l<p}s- It turns out that this is an abstract domain property, because any abstract semantics [•]" : Jzf — > A that 
evaluates formulae in the abstract domain A is strongly preserving for Jzf if and only if [-Jg is. Standard 
strong preservation becomes a particular instance, namely an abstract Kripke structure strongly preserves 
Jzf if and only if the corresponding partitioning abstract model strongly preserves Jzf. On the other hand, 
generalized strong preservation may work where standard strong preservation may fail, namely it may hap- 
pen that although a strongly preserving abstract semantics on a partitioning abstract model a,d(AStates) 
exists this cannot be derived from a strongly preserving abstract Kripke structure on AStates. 

Generalized Strong Preservation and Complete Abstract Interpretations. Given a language Jzf and 
a Kripke structure K, = (States, — ►), a well-known key problem is to compute the smallest abstract 
state space AStates when this exists, such that one can define an abstract Kripke structure A% = 
(AStates se, — that strongly preserves Jzf. This problem admits solution for a number of well-known 
temporal languages like CTL (or, equivalently, the /i-calculus), ACTL and CTL-X (i.e. CTL without the 
next-time operator X). A number of algorithms for solving this problem exist, like those by Paige and 
Tarjan [42] for CTL, by Henzinger et al. [35], Bustan and Grumberg [5] and Tan and Cleaveland [48] 
for ACTL, and Groote and Vaandrager [32] for CTL-X. These are coarsest partition refinement algo- 
rithms: given a language Jzf and a partition P of States, which is determined by a state labeling, these 
algorithms can be viewed as computing the coarsest partition Peg that refines P and strongly preserves 
Jzf. It is worth remarking that most of these algorithms have been designed for computing well-known 
behavioural equivalences used in process algebra like bisimulation (for CTL), simulation (for ACTL) and 
divergence-blind stuttering (for CTL-X) equivalence. Our abstract interpretation-based framework allows 
to give a generalized view of the above partition refinement algorithms. We show that the most abstract do- 
main ADj^> £ AbsDom(p(States)) that strongly preserves a given language Jzf always exists. It turns out 
that AD^f is a partitioning abstract domain if and only if Jzf includes full propositional logic, that is when 
Jzf is closed under logical conjunction and negation. Otherwise, a proper loss of information occurs when 
abstracting AD_^ to the corresponding partition Peg . Moreover, for some languages Jzf, it may happen that 
one cannot define an abstract Kripke structure on the abstract state space Peg that strongly preserves Jzf 
whereas the most abstract strongly preserving semantics in AbsDom(p(States)) instead exists. 

The concept of complete abstract interpretation is well known [14, 31]. This encodes an ideal situ- 
ation where the abstract semantics coincides with the abstraction of the concrete semantics. We estab- 
lish a precise correspondence between generalized strong preservation of abstract models and complete- 
ness in abstract interpretation. Our results are based on the notion of forward complete abstract domain. 
An abstract domain A is forward complete for a concrete semantic function / when for any a £ A, 
f(l( a )) — l( a (f('l( a ))))> namely when no loss of precision occurs by approximating in A a compu- 
tation /(7(a)). This notion of forward completeness is dual and orthogonal to the standard definition of 
completeness in abstract interpretation. Giacobazzi et al. [31] showed how complete abstract domains can 
be systematically and constructively derived from noncomplete abstract domains by minimal refinements. 
This can be done for forward completeness as well. Given any domain A, the most abstract domain that 
refines A and is forward complete for / does exist and can be characterized as a greatest fixpoint. Such a 
domain is called the forward complete shell of A for /. It turns out that strong preservation is related to for- 
ward completeness as follows. As described above, the most abstract domain AD^f that strongly preserves 
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Jzf always exists. It turns out that AD^? coincides with the forward complete shell for the operators of Jz? 
of a basic abstract domain determined by the state labeling. This characterization provides an elegant gen- 
eralization of partition refinement algorithms used in standard abstract model checking. As a consequence 
of these results, we derive a novel characterization of the corresponding behavioural equivalences in terms 
of forward completeness of abstract domains. For example, it turns out that a partition P is a bisimulation 
on some Kripke structure K, if and only if the corresponding partitioning abstract domain ad(P) is forward 
complete for the standard predecessor transformer prc^ in K. 

2 Basic Notions 

2.1 Notation and Preliminaries 

Let A be any set. Fun(A) denotes the set of functions / : A" — > X, for some n > 0, called arity of 
/. Following a standard convention, when n = 0, / is meant to be a specific object of X. The arity 
of / is also denoted by (((/) > 0. id denotes the identity map. If F C Fun(A) and Y C X then 
F(Y) = {f(y) f G F,y G Y*W}, namely F(Y) is the set of images of Y for each function in F. If 
/ : X — > Y then the image of / is also denoted by img(/) = {f(x) G Y | x G A}. If / : A — > Y 
and g : Y — > Z then g o f : X ^ Z denotes the composition of / and g, i.e. g o / = Xx.g(f(x)). The 
complement operator for the universe set A is C : p(A) — > p(A), where C(5) = X \ S. When writing 
a set 5 of subsets of a given set, like a partition, we often write S in a compact form like {1, 12, 13} or 
{[1], [12], [13]} that stand for {{1}, {1,2}, {1,3}}. Ord denotes the proper class of ordinals and co G Ord 
denotes the first infinite ordinal. 

Let (P, <) be a poset. Posets are often denoted also by P<. We use the symbol C to denote pointwise 
ordering between functions: If A is any set and f,g : X — > P then / C g if for all x G A, /(x) < <?(x). 
A mapping / : P — > Q on posets is continuous when / preserves least upper bounds (lub's) of countable 
chains in P, while, dually, it is co-continuous when / preserves greatest lower bounds (gib's) of countable 
chains in P. A complete lattice C< is also denoted by (C, <, V, A, T, _L) where V, A, T and _L denote, 
respectively, lub, gib, greatest element and least element in C. A mapping / : C — > D between complete 
lattices is additive (co-additive) when for any FCC, f(VcY) = V D f(Y) (f(AcY) = A D f(Y)). We 
denote by lfp(/) and gfp(/), respectively, the least and greatest fixpoint, when they exist, of an operator / 
on a poset. The well-known Knaster-Tarski's theorem states that any monotone operator / : C — > C on a 
complete lattice C admits a least fixpoint and the following characterization holds: 

lfp(/) = a{x e c I f(x) <x} = y ae0rd f a 

where the upper iteration sequence {/"' T (x)} Qg ord of / in x e C is defined by transfinite induction on a 
as usual: 

- a = 0: /°- T (V) = x; 

- successor ordinal a = f3 + 1: f^ +1 '^(x) — f(f^'^(x)); 

- limit ordinal a: / Q ' T (a;) = V (3<Q / /3 ^ T (x). 

It is well known that if / is continuous then lfp(/) = V Qew / Q '^(l.). Dually, / also admits a greatest 
fixpoint and the following characterization holds: 

gfp(/) = V{x G C | x < /(x)} = A Qe0 rd/ Qa (T), 

where the lower iteration sequence {/"'^(a;)} Q £Ord of / in x G C is defined as the upper iteration sequence 
but for the case of limit ordinals: f a '^(x) = Ap <a f l3 ^(x). 

Let E be any set. PrcOrd(I]) denotes the set of preorder relations on E, that is R C E x E is a 
preorder on E if R is reflexive and transitive. Part(E) denotes the set of partitions of E. Sets in a partition 
P are called blocks of P. If = C E x E is an equivalence relation then we denote by P= G Part(E) the 
corresponding partition of E. Vice versa, if P G Part(E) then =p C E x E denotes the corresponding 
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equivalence relation on E. Part(E) is endowed with the following standard partial order ==<I: Pi =4 P 2 , i-e. 
P 2 is coarser than Pi (or P 1 refines P 2 ) iff VB e P 1 .3B I £ P 2 .B C B' . It is well known that (Part(E), =<;) 
is a complete lattice. 

A transition system T = (E, ->) consists of a (possibly infinite) set E of states and a transition relation 
-> C E x E. As usual [10], we assume that the relation -» is total, i.e., for any s £ E there exists some 
f £ E such that s->i, so that any maximal path in T is necessarily infinite. T is finitely branching when for 
any ,s £ E, {t £ E | s->t} is a finite set. The pre/post transformers on p(E) are defined as usual: 

- pre„ = \Y.{a £ E | 3b £ F. a^6}; 

- pTe^ = C o pre,, oC = XY.{a £ E | Vo £ E.(a^fe ^ 6 £ F)}; 

- post^ = \Y.{b £ E I 3a £ F. a^6}; 

- post^ = C o post^ oC = XY.{b £ E I Va £ E.(a^6 =>- a £ F)}. 

Let us observe that prc^ and post^ are additive operators on p(E)c while pre., and post,, are co-additive. 
If R £ Ei x E2 is any relation then the relations i? 33 , i? V3 C p(Ei) x p{^ 2 ) are defined as follows: 

- (Si, S 2 ) £ i? 33 iff 3si £ S*i.3s 2 £ 5 a . «a) G i?; 

- (Si, ft) £ i? V3 iff Vsi £ Si3b 2 G S 2 .(«i,*a) G fl. 

2.2 Abstract Interpretation and Completeness 
2.2.1 Abstract Domains 

In standard Cousot and Cousot's abstract interpretation, abstract domains can be equivalently specified 
either by Galois connections, i.e. adjunctions, or by upper closure operators (uco's) [13, 14]. Let us recall 
these standard notions. 

Galois Connections and Insertions. If A and C are posets and a : C — > A and 7 : A — > C are 
monotone functions such that Vc £ C. c <c 7(a(c)) and a (7 (a)) <a a then the quadruple (a, C, A, 7) is 
called a Galois connection (GC for short) between C and A. If in addition £107 = Xx.x then (a, C, A, 7) 
is a Galois insertion (GI for short) of A in C. In a GI, 7 is 1-1 and a is onto. Let us also recall that the 
notion of GC is equivalent to that of adjunction: if a : C — > A and 7 : A — > C then (a, C, A, 7) is a GC 
iff Vc £ C.Va £ A a(c) <^ a <^> c <c 7(a)- The map ct (7) is called the left- (right-) adjoint to 7 (a). 
It turns out that one adjoint map a/7 uniquely determines the other adjoint map 7/a as follows. On the 
one hand, a map a : C — > A admits a necessarily unique right-adjoint map 7 : A — > C iff a preserves 
arbitrary lub's; in this case, we have that 7 = Xa. Vc {c £ C \ a(c) <a a}- On the other hand, a map 
7 : A — > C admits a necessarily unique left-adjoint map a : C — > A iff 7 preserves arbitrary gib's; in 
this case, a = Ac. Aa {a £ A | c <c 7( a )}- In particular, we have that in any GC (a, C, A, 7) between 
complete lattices it turns out that a is additive and 7 is co-additive. Also, if (a, C, A, 7) is a GI and C is a 
complete lattice then A is a complete lattice as well and (A, <^) is order-isomorphic to (img(7), <c}- 

We assume the standard abstract interpretation framework, where concrete and abstract domains, C and 
A are complete lattices related by abstraction and concretization maps a and 7 forming a GC (a, C, A, 7). 
A is called an abstraction of C and C a concretization of A The ordering relations on concrete and abstract 
domains describe the relative precision of domain values: x < y means that y is an approximation of x or, 
equivalently, x is more precise than y. Galois connections allow to relate the concrete and abstract notions 
of relative precision: an abstract value a £ A approximates a concrete value c £ C when a(c) <a a, or, 
equivalently (by adjunction), c <c 7(a). As a key consequence of requiring a Galois connection, it turns 
out that a(c) is the best possible approximation in A of c, that is a(c) = A{a £ A | c <c 7(a)} holds. If 
(a, C, A, 7) is a GI then each value of the abstract domain A is useful in representing C, because all the 
values in A represent distinct members of C, being 7 1-1. Any GC can be lifted to a GI by identifying in 
an equivalence class those values of the abstract domain with the same concretization. Abs(C) denotes the 
set of abstract domains of C and we write A £ Abs(C) to mean that the abstract domain A is related to 
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C through a GI (a, C, A, 7). An abstract domain A is disjunctive when the corresponding concretization 
map 7 is additive. 

Closure Operators. An (upper) closure operator, or simply a closure, on a poset P< is an operator 
/x : P — ► P that is monotone, idempotent and extensive, i.e., Vx G P. x < fi(x). Dually, lower closure 
operators are monotone, idempotent, and restrictive, i.e., Vx £ P. fi(x) < x. uco(P) denotes the set of 
closure operators on P. Let (C, <, V, A, T, _L) be a complete lattice. A closure \i £ uco(C) is uniquely 
determined by its image img(/i), which coincides with its set of fixpoints, as follows: [i = Ay. A {a; £ 
img(/i) I y < x}. Also, X C C is the image of some closure operator fix on C iff X is a Moore-family of 
C, i.e., X = M{X) = {AS SCX} — where A0 = T £ M(X). In other terms, X is a Moore-family 
of C when X is meet-closed. In this case, fix = Ay. A {x £ X | y < x} is the corresponding closure 
operator on C. For any X C C, 7VJ(X) is called the Moore-closure of X in C, i.e., A4(X) is the least 
(w.r.t. set inclusion) subset of C which contains X and is a Moore-family of C. Moreover, it turns out 
that for any \i £ uco(C) and any Moore-family X C C, /ii mg ( M ) = /-« and img(^x) = X- Thus, closure 
operators on C are in bijection with Moore-families of C. This allows us to consider a closure operator 
/i £ uco(C) both as a function f\i : C — ► C and as a Moore-family img(/i) C C. This is particularly 
useful and does not give rise to ambiguity since one can distinguish the use of a closure fi as function or 
set according to the context. 

It turns out that (fi, <} is a complete meet subsemilattice of C, i.e. A is its gib, but, in general, it is not 
a complete sublattice of C, since the lub in fi — defined by XY C fi. fi(VY) — might be different from 
that in C. In fact, it turns out that \i is a complete sublattice of C (namely, img(/x) is also join-closed) iff fi 
is additive. 

If C is a complete lattice then uco(C) endowed with the pointwise ordering C is a complete lattice 
denoted by (uco(C), C, U, n, Ax.T, Xx.x), where for every fi, ?y £ uco(C), {fiiji^i C uco(C) and x £ C: 

- (i C 7] iff Vy £ C. //(y) < r/(y) iff img(r?) C img(/z); 

- (n ie /^)(x) = A ie j/Xi(x); 

- x £ Ujg/^i <^> Vi £ /. x £ /i^; 

- Ax.T is the greatest element, whereas Ax.x is the least element. 

Thus, the gib in uco(C) is defined pointwise, while the lub of a set of closures C uco(C) is the 

closure whose image is given by the set-intersection n,e//ij. 

The Lattice of Abstract Domains. It is well known since [14] that abstract domains can be equivalently 
specified either as Galois insertions or as closures. These two approaches are completely equivalent. On the 
one hand, if \i £ uco(C) and A is a complete lattice which is isomorphic to img(/i), where t : img(/x) — > A 
and i -1 : A — > img(/i) provide the isomorphism, then (t o /x, C, A, i" 1 ) is a GI. On the other hand, if 
(a, C, A, 7) is a GI then \ia = 7 ° a £ uco(C) is the closure associated with A such that (img(/x^), <c) 
is a complete lattice which is isomorphic to (A, <a)- Furthermore, these two constructions are inverse of 
each other. Let us also remark that an abstract domain A is disjunctive iff fij\ is additive. Given an abstract 
domain A specified by a GI (a, C, A, 7), its associated closure 7 o a on C can be thought of as the "logical 
meaning" of A in C, since this is shared by any other abstract representation for the objects of A. Thus, the 
closure operator approach is particularly convenient when reasoning about properties of abstract domains 
independently from the representation of their objects. 

Abstract domains specified by GIs can be pre-ordered w.r.t. precision as follows: if Ai,A2 £ Abs(C) 
then A\ is more precise (or concrete) than A2 (or A2 is an abstraction of A\), denoted by A\ < A2, when 
P"A X E Ma 2 ' The pointwise ordering C between uco's corresponds therefore to the standard ordering used 
to compare abstract domains with respect to their precision. Also, A\ and A2 are equivalent, denoted by 
A\ ~ A<z, when their associated closures coincide, i.e. \ia x = /ia 2 - Hence, the quotient Abs(C) /~ gives 
rise to a poset that, by a slight abuse of notation, is simply denoted by (Abs(C), C). Thus, when we write 
A £ Abs(C) we mean that A is any representative of an equivalence class in Abs(C) /~ and is specified by 
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a Galois insertition (a, C, A, 7). It turns out that (Abs(C), C) is a complete lattice, called the lattice of ab- 
stract interpretations of C [13, 14], because it is isomorphic to the complete lattice (uco(C), C). Lub's and 
gib's in Abs(C) have therefore the following reading as operators on domains. Let {Ai}i £ i C Abs(C): 
(i) Ui^iAi is the most concrete among the domains which are abstractions of all the Ai's; (ii) U^iAi is 
the most abstract among the domains which are more concrete than every A4 — this latter domain is also 
known as reduced product of all the Aj's. 

2.2.2 Completeness 

Let C be a concrete domain, / : C — > C be a concrete semantic function 1 and let /' : A — > A be 
a corresponding abstract function on an abstract domain A £ Abs(C) specified by a GI (a, C, A, 7). 
Then, (A, /") is a sound abstract interpretation when a o / C /' o a holds. The abstract function /* is 
called a correct approximation on A of /. This means that a concrete computation f(c) can be correctly 
approximated in A by /*(a(c)), namely a(f(c)) <a fK a ( c ))- An abstract function ff : A — > A is more 
precise than /| : A — > A when /| C /|. Since ao/C/'oa holds iff a o / o 7 C /" holds, the abstract 
function f A = aofo^:A^Ais called the best correct approximation of / in A. 

Completeness in abstract interpretation corresponds to requiring that, in addition to soundness, no loss 
of precision occurs when /(c) is approximated in A by ft(a(c)). Thus, completeness of /" for / is encoded 
by the equation a o / = /" o a. This is also called backward completeness because a dual form of forward 
completeness may be considered. As a very simple example, let us consider the abstract domain Sign 
representing the sign of an integer variable, namely Sign = {_L, Z<o, 0, Z>o, T} £ Abs(p(Z)c ). Let us 
consider the binary concrete operation of integer addition on sets of integers, that is X + Y = f {x + y \ x £ 
X, y £ Y}, and the square operator on sets of integers, that is X 2 = {x 2 \ x £ X}. It turns out that 
the best correct approximation -f Sl 9™ of integer addition in Sign is sound but not complete — because 
a({-l} + {1}) = <SignJ = a({-l})+ Sl9n a({l}) — while it is easy to check that the best correct 
approximation of the square operation in Sign is instead complete. 

A dual form of completeness may be considered. The soundness condition a o / C f* o a can be 
equivalently formulated as / o 7 C 7 o Forward completeness for /" corresponds to requiring that 
the equation / o 7 = 7 o f* holds, and therefore means that no loss of precision occurs when a concrete 
computation /(7(a)), for some abstract value a £ A, is approximated in A by f\a). Let us notice 
that backward and forward completeness are orthogonal concepts. In fact: (1) as observed above, we 
have that + Sl 9 n i s not backward complete while it is forward complete because for any a%, 0.2 £ Sign, 
7(0,1) + 7(02) = 7(04 0.2); (2) the best correct approximation (-) 2s '9" of the square operator on Sign 
is not forward complete because 7(Z>o) 2 C 7(Z>o) = 7((Z>o) 2sis ") while, as observed above, it is 
instead backward complete. 

Giacobazzi et al. [31] observed that completeness uniquely depends upon the abstraction map, i.e. upon 
the abstract domain: this means that if /" is backward complete for / then the best correct approximation 
f A of / in A is backward complete as well, and, in this case, /" indeed coincides with f A . Hence, for any 
abstract domain A, one can define a backward complete abstract operation /" on A if and only if f A is 
backward complete. Thus, an abstract domain A £ Abs(C) is defined to be backward complete for / iff the 
equation a o / = f A o a holds. This simple observation makes backward completeness an abstract domain 
property, namely an intrinsic characteristic of the abstract domain. Let us observe that a o / = f A a a 
holds iff7oao/ = 7o/ A oa = 7oao/o7oa holds, so that A is backward complete for / when 
HA f — HA f HA- Thus, a closure [i £ uco(C), that defines some abstract domain, is backward 
complete for / when p/ = p/o/j holds. Analogous observations apply to forward completeness, 
which is also an abstract domain property: A £ Abs(C) is forward complete for / (or forward /-complete) 
when / o [i a = Ha° f Ha, while a closure fj, £ uco(C) is forward complete for / when / o ^ = /io/o/z 
holds. 

Let us also recall that, by a well-known result (see, e.g., [14, Theorem 7.1.0.4], [1, Fact 2.3] and [21, 
Lemma 4.3]), backward complete abstract domains are "fixpoint complete" as well. This means that if 
A £ Abs(C) is backward complete for a concrete monotone function / : C — * C then a(lfp(/)) = 
Up(f A ). Moreover, if a and / are both co-continuous then this also holds for greatest fixpoints, namely 

1 For simplicity of notation we consider here unary functions since the extension to generic n-ary functions is straightforward. 
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a(gfp(/)) = gfp(/ A ). As far as forward completeness is concerned, the following result holds. 

Lemma 2.1. If A G Abs(C) is forward complete for a monotone f then a(gfp(/)) = gfp(/' 4 ). Moreover, 
if j and f are both continuous and y(_L^) = J_c then a(lfp(/)) = lip( f A ). 

Proof. Let us show that a(gfp(/)) = gfp(/" 4 ). On the one hand, since gfp(/) < 7 (a(gfp(/))), we 
have that gfp(/) = /(gfp(/)) < /(7(a(gfp(/)))), therefore, by using forward completeness, gfp(/) < 
7 (/ A («(gf P (/)))). Thus, a(gf P (/)) < / A (a(gfp(/))), from which follows that a(gf P (/)) < gfp(/ A ). 
On the other hand, by using forward completeness, J(7(gfp(/" 4 ))) = 7(/" 4 (gfp(/' 4 ))) = 7 (gfp(/ A ))> 
so that 7(gfp(/ A )) < gfp(/), and therefore, by applying a, we obtain that gfp(f A ) = &{j{g{p{f A ))) < 
a(gfp(/)). 

Assume now that 7 and / are both continuous and 7(^,4) = J-c- Let us show by induction on k that for 

any k G N, 7 ((/ A )^ T (^a)) = / fc ' T (±c). 

(k = 0): By hypothesis, 7 ((/ A ) >T(± A )) = 7 (i_ A ) = L c = / ' T (±c). 
(fc + 1): 

7((/ A )fc +i,T (±A)) = 

l(f A ((f A ) kA (^A))) = [by forward completeness] 
/(7((/ j4 ) fe ' T (±, 4 ))) = [by inductive hypothesis] 

f(f k -H±c)) = 

Thus, by applying a, we obtain that for any k G N, 

(/ A ) fc >T( ±A ) = Q (/M (±c)) . ( t ) 

Since 7 and / are continuous and a is always additive, we have that f A = a o / o 7 is continuous because 
it is a composition of continuous functions. Hence: 

lfp(/ A ) = [by Knaster-Tarski's theorem] 

VkMf A ) k 'H^A) = [by(t)] 

V k£K a(f kA (± c )) = [as a is additive] 

a(Vfc e N/ fe ' T (^c)) = [by Knaster-Tarski's theorem] 
«(lfp(/)) 

and this concludes the proof. □ 

It is worth noting that concretization maps of abstract domains which satisfies the ascending chain 
conditions (i.e., every ascending chain is eventually stationary) are always trivially continuous. 



2.2.3 Shells 

Refinements of abstract domains have been studied from the beginning of abstract interpretation [13, 14] 
and led to the notion of shell of an abstract domain [26, 29, 31]. Given a generic poset P< of semantic 
objects — where x < y intuitively means that x is a "refinement" of y — and a property V C P of these 
objects, the generic notion of shell goes as follows: the 'P-shell of an object x G P is defined to be an 
object s x G P such that: 

(i) s x satisfies the property V, 

(ii) s x is a refinement of x, and 

(iii) s x is the greatest among the objects satisfying (i) and (ii). 
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Note that if a P-shell exists then it is unique. Moreover, if the P-shell exists for any object in P then it 
turns out that the operator mapping x G P to its P-shell is a lower closure operator on V, being monotone, 
idempotent and reductive: this operator will be called the V -shell refinement. We will be particularly 
interested in shells of abstract domains and partitions, namely shells in the complete lattices of abstract 
domains and partitions. Given a state space E and a partition property V C Part(E), the P-shell of 
P G Part(E) is the coarsest refinement of P satisfying P, when this exists. Also, given a concrete 
domain C and a domain property V C Abs(C), the P-shell of A G Abs(C), when this exists, is the most 
abstract domain that satisfies V and refines A. Giacobazzi et al. [31] gave a constructive characterization of 
backward complete abstract domains, under the assumption of dealing with continuous concrete functions. 
As a consequence, they showed that backward complete shells always exist when the concrete functions 
are continuous. In Section 6 we will follow this same idea for forward completeness and this will provide 
the link between strongly preserving abstract models and complete abstract interpretations. 

2.3 Abstract Model Checking and Strong Preservation 

Standard temporal languages like CTL, CTL*, ACTL, the /i-calculus, LTL, etc., are interpreted on mod- 
els specified as Kripke structures. Given a set AP of atomic propositions (of some language), a Kripke 
structure K = (E, i) over AP consists of a transition system (E, ->) together with a state labeling func- 
tion £ : E — > p{AP). We use the following notation: for any s G E, [a]t = {s' G E | £(s) = £{s')}, 
while Pi = {[s]i | s G E} G Part(E) denotes the state partition that is induced by t. The notation s^^ip 
means that a state s G E satisfies in tC a state formula tp of some language Jzf , where the specific definition 
of the satisfaction relation depends on the language Jzf (interpretations of standard logical/temporal 
operators can be found in [10]). 

Standard abstract model checking [9, 10] relies on abstract Kripke structures that are defined over 
partitions of the concrete state space E. A set A of abstract states is related to E by a surjective ab- 
straction h : E — > A that maps concrete states into abstract states and thus gives rise to a state partition 
Ph = {/i -1 (a) | a G A} G Part(E). Thus, in standard abstract model checking, formulae are interpreted 
on an abstract Kripke structure A = (A, whose states are an abstract representation in A of some 

block of the partition Ph. Given a specification language Jzf of state formulae, a weak preservation result 
for Jzf guarantees that if a formula in Jzf holds on an abstract Ktipke structure A then it also holds on the 
corresponding concrete structure /C: for any ip G Jzf, a G A and s G E such that h(s) = a, if a^ A ip 
then s\= tp. Moreover, strong preservation (s.p. for short) for Jzf encodes the equivalence of abstract and 
concrete validity for formulae in Jzf: for any ip G Jzf, a G A and s G E such that h(s) = a, a^ A tp if and 
only if s\= tp. 

The definition of weakly/strongly preserving abstract Kripke structures depends on the language Jzf. 
Let us recall some well-known examples [9, 10, 33]. Let K, = (E, -►, I) be a concrete Kripke structure 
h : E — > A be a surjection. 

(i) Consider the language ACTL*. If P h ■< P e then the abstract Kripke structure A = {A, £ h ) 
weakly preserves ACTL*, where £h{a) = U{^(s) | s G E, h(s) = a} and ^ 3 CAxiis defined 
as: h(8i) ^ a h(s 2 ) & 3s[, s' 2 . h(s[) = h( Sl ) & h(s' 2 ) = h(s 2 ) & s[^s' 2 . 

(ii) Let P s j m G Part(E) be the partition induced by simulation equivalence on JC. If Ph = P s im (this 
also holds when Ph r< P s i m ) then the abstract Kripke structure A = (A, ~^,£h) strongly preserves 
ACTL*, where h( Sl ) h(s 2 ) Vs' x . h(s[) = h( Sl ). 3s' 2 . h(s' 2 ) = h{s 2 ) & s[^s' 2 . 

(iii) Let Pbi S G Part(E) be the partition induced by bisimulation equivalence on /C. If Ph = Pbis (this 
also holds when Ph < Pbi s ) then the abstract Kripke structure A = (A, ->jP, £h) strongly preserves 
CTL*. 

Following Dams [19, Section 6.1] and Henzinger et al. [36, Section 2.2], the notion of strong preser- 
vation can be also given w.r.t. a mere state partition rather than w.r.t. an abstract Kripke structure. Let 
\\k '■ -2? - ¥ p(^) be the semantic function of state formulae in Jzf w.r.t. a Kripke structure KL = (E, -f, £), 
i.e., l^tc == {s G E s\=- K (p}. Then, the semantic interpretation of Jzf on JC induces the following logical 
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Figure 1: A U.K. traffic light. 



1 Y 



equivalence =jg CExS: 

a =% s' iff e JSf. s g ^ *' g bk- 

Let Pg> G Part(S) be the partition induced by (the index /C denoting the Kripke structure is omit- 
ted). Then, a partition P G Part(S) is strongly preserving 2 for Jz? (when interpreted on /C) if P =<! Ps?. 
Thus, Pjf is the coarsest partition that is strongly preserving for Jz?. For a number of well known temporal 
languages, like ACTL*, CTL* (see, respectively, the above points (ii) and (iii)), CTL*-X and the frag- 
ments of the /i-calculus described by Henzinger et al. [36], it turns out that if P is strongly preserving for 
Jz? then the abstract Kripke structure (P, -^^,tse) is strongly preserving for Jz?, where, for any B e P, 
&S?(B) = U se s^(s). In particular, (Psf, -^ 33 , tse) is strongly preserving for Jz? and, additionally, Peg is 
the smallest possible abstract state space, namely if A = (A, ->",^") is an abstract Kripke structure that 
strongly preserves Jz? then |Ps?| < \A\. 

However, given a language Jz? and a Kripke structure K, where formulae of Jz? are interpreted, the 
following example shows that it is not always possible to define an abstract Kripke structure A on the 
partition Peg such that A strongly preserves Jz?. 

Example 2.2. Consider the following simple language Jz?: 

Jz? 3 <p ::= stop | go | AXX<p 

and the Kripke structure K. depicted in Figure 1, where superscripts determine the labeling function. tC 
models a four-state traffic light controller (like in the U.K. and in Germany): Red — > RedYellow — > 
Green — » Yellow. According to the standard semantics of AXX, we have that s\= K AXXtp iff for any 
path S0S1S2 . . . starting from so = s, it happens that S2 1= <p. It turns out that [AXXsiopk = {G, Y} 
and [AXXffok = {R,RY}. Thus, we have that P& = {{R, RY}, {G,Y}}. However, let us show 
that there exists no abstract transition relation C Pjg x Peg such that the abstract Kripke structure 
A = {Pss, strongly preserves Jz?. Assume by contradiction that such an abstract Kripke structure 

Sexists. Let B 1 = {R, RY} G Pjg and B 2 = {G,Y} G Pjg. Since R^ K AXXgo and G^ K AXXstop, 
by strong preservation, it must be that B\ ^-^AXXgo and Bi \= A AXXstop. Hence, necessarily, B\ -^Bi 
and B 2 ^B 1 . This leads to the contradiction B 1 ^ A AXXgo. In fact, if ^ = {(B 1 ,B 2 ), {B 2 ,B 1 )} then 
we would have that Bi\/= A AXXgo. On the other hand, if, instead, B\^B\ (the case B 2 ^B 2 is analo- 
gous), then we would still have that B\ AXXgo. Even more, along the same lines it is not hard to show 
that no proper abstract Kripke structure that strongly preserves Jz? can be defined, because even if either 
B\ or B 2 is split we still cannot define an abstract transition relation that is strongly preserving for Jz?. □ 

3 Partitions as Abstract Domains 

Let S be any (possibly infinite) set of states. Following [15, Section 5], a partition P G Part(E) can be 
viewed as an abstraction of p(E)c as follows: any S C S is over approximated by the unique minimal 
cover of S in P, namely by the union of all the blocks B G P such that B n S ^ 0. A graphical example is 
depicted on the left-hand side of Figure 2. This abstraction is formalized by a GI (op, p(S)c, p(P)c, Jp) 
where: 

a P (S) = {BeP\BnS^0} 7P (S) = U Be g B. 

Hence, any partition P G Part(S) induces an abstract domain ad p (P) G Abs(p(E)), and an abstract 
domain A G Abs(p(S)) is called partitioning when A is equivalent to ad p (P) for some partition P. 
Observe that the closure ad p (P) = -fp o ap associated to a partitioning abstract domain is defined as 

2 Dams [19] uses the term "fine" instead of "strongly preserving". 
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ad p (P) = XS. U {B £ P | B n S ^ 0}. Accordingly, a closure /i G uco(p(£)) that coincides with 
7p o ap, for some partition P, is called partitioning. We denote by Abs par (p(E)) and uco par (p(£)) 
the sets of, respectively, partitioning abstract domains and closures on p(E). As noted in [16], a sur- 
jective abstraction h : E — ► A used in standard abstract model checking that maps concrete states into 
abstract states (cf. Section 2.3) gives rise to a partitioning Galois insertion (ah, p(E)c , p(A)c , 7/1) where 
a h = XS C E.{/i(s) G A I s £ S} and 7/l = XX C A{s g E | ft(s) G X}. 

Partitions can be also viewed as dual abstractions when a set S is under approximated by the union of 
all the blocks B £ P such that B C S. A graphical example of this under approximation is depicted on the 
right-hand side of Figure 2. This dual abstraction is formalized by the GI (ap, p(£)d, p(P)d, 7p) where 
the ordering on the concrete domain p(E) is given by the subset relation and 

a P (S) = {B £ P I B C S} 7p(B) = U Bee B. 

In the following, we will be interested in viewing partitions as over approximations, that is partitions as 
abstract domains of p(E)c. 

Thus, partitions can be viewed as representations of abstract domains. On the other hand, it turns out 
that abstract domains can be abstracted to partitions. An abstract domain A £ Abs(p(E)c) induces a state 
equivalence =a on E by identifying those states that cannot be distinguished by A: 

s= A s' iff a({s}) = a({s'}). 

For any s £ E, [s]a == {s' £ E | a({s}) = a({s'})} is a block of the state partition par(A) induced by A: 

par(A) d = f {[ S U| S GE}. 

Thus, par : Abs(p(E)) — > Part(E) is a mapping from abstract domains to partitions. 

Example 3.1. Let E = {1,2,3,4} and let us specify abstract domains as uco's on p(E). The uco's 
Hi = {0,12,3,4,1234}, H2 = {0,12,3,4,34,1234}, ^ 3 = {0, 12, 3, 4, 34, 123, 124, 1234}, m = 
{12, 123, 124, 1234} and fi 5 = {0, 12, 123, 124, 1234} all induce the same partition P = par(^) = 
{12,3,4} G Part(E). For example, fx 5 ({l}) = fi 5 ({2}) = {1, 2}, /i 5 ({3}) = {1, 2, 3} and ^({4}) = 
{1,2,3,4} so that par (^5) = P. Observe that /i3 is the only partitioning abstract domain because 
adP(P) = fi 3 . □ 

Abstract domains of p(E) carry additional information other than the underlying state partition and 
this additional information allows us to distinguish them. It turns out that this can be precisely stated by 
abstract interpretation since the above mappings par and ad p allows us to show that the whole lattice of 
partitions of E can be viewed as a ("higher-order") abstraction of the lattice of abstract domains of p(E). 

Theorem 3.2. (par, Abs(p(E))g, Part(E)x , ad p ) is a Galois insertion. 

Proof. Let A £ Abs(p(E)) and P £ Part(E) and let fiA G uco(p(E)) be the closure associated with the 
abstract domain A. Let us prove that P ^ par(A) <*=> ad p (P) C /.ia- 
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(=>) For S G p(E) we have to prove that ad p (P)(S) C p, A (S). Consider s G ad p (P)(S). Hence, there 
exists some P G P such that s G B and B fl S ^ 0. Let q £ B H S. Since P ^ par (A), there exists 
some block [r] A G par(A) such that P C [V]a- Thus, for any x,y G B, a({x}) = a({r}) — a({y}), in 
particular, a({s}) = a({q}). Consequently, since q G S and therefore H A ({q}) Q Ha(S), we have that 
Ma({s}) = ma(M) C (jl a (S), so that s G (j,a(S). 

Consider a block B G P and some s G P. We show that B C [s]a, namely if s',s" G P 
then a({s'}) = a({s"}). Since ad p (P) C if s',s" G P then ad p (P)({s'}) = P C ha{{s'}) 
so that s" G /ia({s'}) and therefore /za({s"}) C /j,a({s'}). Likewise, fi A ({s'}) C /^({s"}) so that 
/iA({s'}) = iMK}) and in turn a({s'}) = a({s"}). 

Finally, observe that ad p is 1-1 so that the above adjunction is indeed a Galois insertion. □ 

Let us observe that, as recalled in Section 2.2, the adjoint maps par and ad p give rise to an order 
isomorphism between the lattices (Part(E), ^} and (Abs par (p(E)), 

Corollary 3.3. Let A G Abs(p(E)). The following statements are equivalent: 

(1) A is partitioning. 

(2) 7 is additive and {7(a({s}))} s es is a partition o/E. In this case, par(A) = {7(a({s}))} s6 £. 

(3) A is forward complete for the complement operator C. 

Proof. Let A G Abs(p(E)) and let \i A = 7 ° a G uco(p(E)) be the corresponding uco. 

(1) (2) By Theorem 3.2, A G Abs par (p(E)) iff ad p (par(A)) = A. Thus, if ad p (par(A)) = A then 
[i-A = 7 ° ct is obviously additive. Moreover, s =a s' iff a({s}) = a({s'}) iff j(a({s})) = j(a({s'})), 
so that, for any s G E, [s]a = 7(a({s})) and therefore par(A) = {j(a({s}))} se ^. 

(2) =*> (1) Since {j(a({s}))} se ^ = P G Part(E) we have that for any s G E, [s]a = 7(a({s})): in fact, 
if s' G 7(ct({s})) then a({s'}) < a({s}), hence 7(a({s'})) C 7(a({s})) and therefore 7(o;({s / })) = 
7(a({s})). Thus, par(A) = P. Moreover, since 7 is additive, for any S C E, U se s7(a;({s})) = 
7(V seS a({s})) = 7(a(iS)) G jiu- Hence, since ad p (P) = {U seS 7(a({s})) 5 C E} we have that 
ad p (par(A)) = A. 

(1) => (3) Assume that A G Abs par (p(E)). It is enough to prove that for any s G E, C(/m({s})) S in 
fact, by (1) (2), 7 is additive and therefore [ia is additive (because it is a composition of additive maps) 
and therefore if S G Ha then S = \J s esHa{{s}) so that C(5) = n se sC(/i J 4({s})). Let us observe the 
following fact (*): for any s, s' G E, s G" /ma({s'}) 4=> /.^({s}) fl /iyt({s'}) = 0; this is a consequence of 
the fact that, by (1) => (2), {/Xyi({s})} s6 s is a partition. For any s G E, we have that C(/xa({s})) G /ia 
because: 

HA$((*a({s}))) = ha{{s' G E I s' Ha{{s})} [by additivity of fj, A ] 

= U{[i A ({s'}) I a' £ ^a({s})} [by the above fact (*)] 

= u{^({ s '})|^({.s'})n /M ({,s}) = 0} 
= u{^({ s '})|^({ s '})cC(^({ s }))} 
Q C(ma({ S })) 

(3) =>- (1) Assume that /i^ is forward complete for C, i.e. [ia is closed under complements. By (2) =>- (1), 
it is enough to prove that 7 is additive and that {/x^({s})} se s G Part(E). 

(i) 7 is additive. Observe that 7 is additive iff (j,a is additive iff [ia is closed under arbitrary unions. If 
{Si}iei C /i^ then Ui5i = C(n,C(S',)) G /xa> because, [Ia is closed under complements (and arbitrary 
intersections). 

(ii) {/M({s})}se£ G Part(E). Clearly, we have that U s e£/M({s}) = E. Consider now s, r G E such that 
/j, A ({s}) n 7^ - Let us show that /j, A ({s}) = /^^({r}). In order to show this, let us prove that 
s G p, A ({r}). Notice that p, A ({s}) \fiA{{r}) = fJ, A ({s})nC(fj, A ({r})) G (J, A , because fj, A is closed under 
complements. If s £ fi A ({r}) then we would have that s G /ja({s}) \ ^^({r}) G (j,a> an d this would 
imply ha({s}) Q Ma({«}) \ C namely /x a ({s}) = \ Ma(M). Thus, we 
would obtain the contradiction Ha({ s }) H AtA({ r }) = - Hence, we have that s G an d therefore 
^({s}) £ MaII^})- By swapping the roles of s and r, we also obtain that HA{{ r }) Q Ha({s}), so that 
fi A ({a}) = M^(W). □ 
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Let us remark that P = f ad p o par is a lower closure operator on (Abs(p(E)), C) and that for any 
A G Abs(p(E)), A is partitioning iff P(A) = A. Hence, P is exactly the partitioning-shell refinement, 
namely P(A) is the most abstract refinement of A that is partitioning. 

4 Abstract Semantics of Languages 
4.1 Concrete Semantics 

We consider temporal specification languages Jz? whose state formulae ip are inductively defined by: 

% 3 <p ::=P f(<pi,...,<p n ) 

where p ranges over a (typically finite) set of atomic propositions AP, while / ranges over a finite set Op 
of operators. AP and Op are also denoted, respectively, by AP eg and Op eg. Each operator / G Op has 
an arity 3 (((/) > 0. 

Formulae in Jz? are interpreted on a semantic structure S = (E, I) where E is any (possibly infinite) set 
of states and / is an interpretation function / : AP U Op — ► Fun(p(E)) that maps p G to 7(p) G p(E) 
and / G Op to /(/) : p(E)"^) — > p(E). and /(/) are also denoted by, respectively, p and /. 

Moreover, AP = {p G p(E) | p G AP} and Op= {/ : p(S) s(/) -> p(E) | / G Op}. Note that the 
interpretation / induces a state labeling : E — > p(AP) by ^/(s) = {p G AP | s G I{p)}- The concrete 
state semantic function J-Js : Jz? — > p(E) evaluates a formula 99 G Jz? to the set of states making tp true 
w.r.t. the semantic structure S: 

[p]s=P and U(<p 1 ,...,<p n )]s = ffl<Pih,:.,Ms). 

Semantic structures generalize the role of Kripke structures. In fact, in standard model checking a semantic 
structure is usually defined through a Kripke structure K, so that the interpretation of logical/temporal 
operators is defined in terms of standard logical operators and paths in K,. In the following, we freely 
use standard logical and temporal operators together with their corresponding usual interpretations: for 
example, 1(A) — /(V) = U, /(->) = C, /(EX) = prc^, /(AX) = prc R , etc. As an example, consider 
the standard semantics of CTL: 

CTL 3 p ::= p \ ip x A tp 2 | ->p | AXp | EX^ | AT%i, <p 2 ) \ EUfa, <p 2 ) | AR(</>i, <p 2 ) | ER(pi, <p 2 ) 

with respect to a Kripke structure K, = (E, R, £). Hence, K. determines a corresponding interpretation / 
for atoms in AP and operators of Op CTh , namely /(AX) = pfe^j, /(EX) = pre^j, etc., and this defines 
the concrete semantic function [-Jx; : CTL — > p(E). 

If g is any operator with arity jj(g) = n > whose interpretation is given by g : p(E)™ — > p(E) and 

5 = (E, /) is a semantic structure then we say that a language Jz? is closed under g for 5 when for any 
ipi, ip n G Jz? there exists some ip G Jz? such that (/([[^iJs, [v?n]s) = [V'ls- F° r instance, if Op ^ 
includes EX and negation with their standard interpretations, i.e. /(EX) = prc^ and /(->) = C, then Jz? 
is closed under AX with its standard interpretation pfc fl because prc H = C o prc^. oC. This notion can be 
extended in a straightforward way to infinitary operators: for instance, Jz? is closed under infinite logical 
conjunction for S iff for any $ C Jz?, there exists some ip G Jz? such that H^e* \f\s = Ms- in particular, 
let us remark that if Jz? is closed under infinite logical conjunction then it must exist some ip G Jz? such 
that P\0 = E = ["015, namely Jz? is able to express the tautology true. Let us remark that if the state space 
E is finite and Jz? is closed under logical conjunction then we always mean that there exists some ip G Jz? 
such that (~10 = E = jipjs- Finally, note that Jz? is closed under negation and infinite logical conjunction 
if and only if Jz? includes propositional logic. 

3 It would be possible to consider generic operators whose arity is any possibly infinite ordinal, thus allowing, for example, infinite 
conjunctions or disjunctions. 
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Figure 3: A Kripke structre on the left and an abstract domain on the right. 

4.2 Abstract Semantics 

In the following, we apply the standard abstract interpretation approach for defining abstract semantics 
[13, 14]. Let «£? be a language and S = (£, I) be a semantic structure for Jzf. An abstract semantic 
structure 5* = (A, 1$) is given by an abstract domain A G Abs(p(E)c) and by an abstract interpretation 
function P : AP U Op — > Fun(^4). An abstract semantic structure therefore induces an abstract 
semantic function [-] 5 s : Jz? — ► A that evaluates formulae in _£f to abstract values in A. The abstract 
interpretation P is a correct over-approximation (respectively, under-approximation) of / on A when for 
any p G AP, i(P(p)) D J(p) (respectively, 7 (/"(p)) C J(p)) and for any / G Op, 7 o /"(/) □ 
/(/) o 7 (respectively, 7 o /"(/) C /(/) o 7). If /" is a correct over-approximation (respectively, under- 
approximation) of / and the semantic operations in Op are monotone then the abstract semantics is an 
over-approximation (respectively, under-approximation) of the concrete semantics, namely for any ip G Jz? , 
7(Hs«) 2 Ms (respectively, 7(MsO C [</>] 5 ). 

In particular, the abstract domain A always induces an abstract semantic structure S A = (A, I A ) where 
I A is the best correct approximation of / on A, i.e. I A interprets atoms p and operators / as best correct 
approximations on A of, respectively, p and /: for any p G AP and / G Op, 

I A (p) = a{p) and I A (f) = f A . 

Thus, the abstract domain A systematically induces an abstract semantic function \-\s A A, also 

denoted by [-J^, which is therefore defined by: 

bls=«(p) and 1/(^1,...,^ = f A (Wi 1 -,rt 

As usual in abstract interpretation, observe that the concrete semantics is a particular abstract semantics, 
namely it is the abstract semantics induced by the "identical abstraction" (id, p(E), p(E), id). 

Example 4.1. Let Jt? 3 (p p \ q \ r \ ipi A tp 2 \ EXip. Let us consider the Kripke structure K, = (£, tj 
and the lattice A both depicted in Figure 3. Let S be the semantic structure induced by the Kripke structure 
JC so that EX = pre^. Let us consider the formulae EXr and EX(p A q), whose concrete semantics are as 
follows: [EXrJs = {3, 5} and [EX(p A q)}s = {1, 2}. A is an abstract domain of p(E) where the Galois 
insertion (a, A, 7) is determined by the following concretization map: 

7 (-L) = 0; 7(01) = {1,2}; 7 (a 2 )={3}; 7 (a 3 ) = {3,4}; 
7 (a 4 ) = {1,2,3}; 7 (o B ) = {3,4,5}; 7 (T) = {1, 2, 3, 4, 5}. 

Note that, by Corollary 3.3, A is not partitioning because 7 is not additive: r )(a 2 ) U 7(03) = {3,4} C 
{3, 4, 5} = 7 (a 2 V a 3 ). It turns out that: 

[EXrfl£ = o(pre^( 7 ([r]^)) = a(prc^( 7 («(r)))) = a(pre^( 7 (a 3 ))) 

= a(pre^({3,4})) = a({l,2,3,5}) = T; 

[EX(p A q)j A = a(pre^( 7 ([p]|g A Ms))) = a( W c^(a(p) A a(q)))) 

= a(pre„>( 7 (a 4 A a 5 ))) = a(pre^(7(a 2 ))) = a(prc^(3)) = a({l, 2}) = 01. 

Observe that the abstract semantics [EXr]^ is a proper over-approximation of [EXrJs because [EXrJs C 
7([EXr]^). On the other hand, the concrete semantics [EX(_p A q)}s is precisely represented in A because 
7 ([EX(pAg)j£) = [EX(pA< ? )] s . □ 
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5 Generalized Strong Preservation 



We showed in Section 3 how a state partition P can be viewed as a partitioning abstract domain ad p (P) 
specified by the GI (ap, p(E)c, p(P)c,Jp)- Thus, given a language if and a corresponding semantic 
structure S = (S, Pj, it turns out that any partition P g Part(E) systematically induces a correspond- 
ing abstract semantics = [-]^ d ^ P . if — » ad p (P) that evaluates a formula in if to a (possibly 
empty) union of blocks of P. Strong preservation for a partition P can be characterized in terms of the 
corresponding abstract domain ad p (P) as follows. 

Lemma 5.1. P £ Part(E) is s.p.for if ij?V<p £ if and S C E, a P (5) C f^]£ <s> S C [^]] s . 

Proof. Let us first observe that for any € if, Yp(a!p([¥?Js)) = [</']s : m f act ' f° r an y s £ Ms, 

ap({s}) is the block of P containing s; since P < Peg, we have that Qp({s}) C [<£>]] s, and from this 
ap(Ms) C [^] 5 andinturn7p(a P ([v3]] < s)) = [yj] 5 . 
Let us now prove by structural induction on <p £ if that {tpjs = 7p(M5 ): 

- <p = p £ ilPjs?: by using the above observation, fpj s = 7p(«p(Ms)) = 7p(Ms)- 

" P = /(<Pl, ■ ■ <Pn)- 

lf(pi, ■ ■ ■ , <^n)]s = [by the above observation] 
7p(ap([/(Vij • • • j Vn)]s)) = [by definition] 
7p( a p(/([^i]s, ■ ■ ■ , [v>n]s))) = [by inductive hypothesis] 
7p(ap(/(7p(bils),---,7p(Ms)))) - [by definition] 
7p([/(vi,-..,Vn)l£). 

Now, consider any ^ g if. If 5 C [yjjs then ap(S') C ap([<^] 5 ) = ap(7p([^]|' )) = IffJs- Conversely, 
if a P (S) C [p]£ then S C 7 p(M£) = Ms- 

(<=): Consider a block P g P and s, s' £ P so that ap({s}) = B = ap({s'}). By hypothesis, for 
any tp £ if, we have that s £ \ip\s iff op({s}) C [yjjf iff a P {{s'}) C [pjf iff s' £ [<p] 5 . Thus, 
S=2>s'. □ 

This states that a partition P £ Part(E) is s.p. for if if and only if to check whether some set S of 
states satisfies some formula tp £ if, i.e. 5 C \tp\s, is equivalent to check whether the abstract state 
ap(S) is more precise than the abstract semantics [</?]g, that is S is over-approximated by fipjg. The 
key observation here is that in our abstract interpretation-based framework partitions are particular abstract 
domains. This allows us to generalize the notion of strong preservation from partitions to generic abstract 
semantic functions as follows. 

Definition 5.2. Let if be a language, S = (E, I) be a semantic structure for if and 6>" = (A, /") be a 
corresponding abstract semantic structure. The abstract semantics J-J^j is strongly preserving for if (w.r.t. 
S) if for any tp £ if and SCE, 

a(S)<xMs« ^ Scyjs. □ 

Definition 5.2 generalizes standard strong preservation from partitions, as characterized by Lemma 5.1, 
both to an arbitrary abstract domain A £ Abs(p(E)) and to a corresponding abstract interpretation function 

Likewise, standard weak preservation can be generalized as follows. Let /C = (E, P, tj be a concrete 
Kripke structure that induces the concrete semantics \<p\k = {s £ E s\= <p}. Let h : E — * A be a 
surjective abstraction and let (ah, p(S), p(A), 7^) be the corresponding partitioning abstract domain. Let 
A = (A, be an abstract Kripke structure on A that gives rise to the abstract semantics \<p\a = {a £ 

A I a^" 4 ^}. Then, A weakly preserves if when 

V</> g if.V-S C E. a/i(5) C ftp} a => Sc[*. 

Hence, weak preservation can be generalized to generic abstract domains and abstract semantics accord- 
ingly to Definition 5.2. 
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Figure 4: A Kripke structure /C on the left and an abstract Kripke structure A on the right. 

5.1 Strong Preservation is an Abstract Domain Property 

Definition 5.2 is a direct and natural generalization of the standard notion of strong preservation in abstract 
model checking. It can be equivalently stated as follows. 

Lemma 5.3. [-J 5 « is s.p. for if iff for any tp G if, l<p}s = T(Msl )• 

Proof (=>) On the one hand, 7(MU0 C Ms iff a(7(MsO) < Msi iff Ms» < Msu which is 
trivially true. On the other hand, Ms C 7(Ms« ) iff a(Ms) < Ms* iff Ms Q Ms, that is trivially 
true. 

(<=) We have that S C \tp\ s iff 5 C 7 (Ms») iff a(S) < Ms«- □ 
In particular, it is worth noting that if f-Jgi is S -P- f° r then Hsu = " ° Hs holds. 
Lemma 5.4. Let A G Abs(p(£)). 

(1) Lef iSj = (A, if) and S| = (A, j|) ^ e abstract semantic structures on A. If [-] s tt awj J-] 5 ti are foof/i 
s.p. for 3? then = [-] s ». 

(2) Lef 5" = (A, /" ) foe a« abstract semantic structure on A. If f-Jgt is s.p. for if then [-J^ is s.p. for if . 

Prao/: (1) By Lemma 5.3, for any tp G J?, 7(Ms«) = Ms = 7(Ms*)> so mat > by a PPlyi n g "> 

Ms* = «(7(N 5 ;)) = "(Ms) = "(7(M S |)) = [V] s «- 

(2) Let us first observe that for any tp G if, 7(a(Ms)j = Ms- In fact, 7(a(Ms)) S Ms ^ 
«(t(«(Ms))) < Ms» ^ "(Ms) < Ms« Ms C Ms- As a consequence of this fact, by 
structural induction on tp £ if, analogously to the proof of Lemma 5.1, it is easy to prove that 7(Ms) = 
Ms- Thus, by Lemma 5.3, is s.p. for if. □ 

Thus, it turns out that strong preservation is an abstract domain property. This means that given any 
abstract domain A G Abs(p(£)), it is possible to define an abstract semantic structure = (A, P) on 
A such that the corresponding abstract semantics [-J^j is s.p. for if if and only if the induced abstract 
semantics [-J^ : if — > A is s.p. for if. In particular, this also holds for the standard approach: if A = 
(A, 1$,$) is an abstract Kripke structure for if, where h : £ — * A is the corresponding surjection, then 
the standard abstract semantics J-]^ strongly preserves if if and only if the abstract semantics induced by 
the partitioning abstract domain (a/,, p(£), p(A), 7^) strongly preserves if, and in this case this abstract 
semantics coincides with the standard abstract semantics [-J^. Strong preservation is an abstract domain 
property and therefore can be defined without loss of generality as follows. 

Definition 5.5. An abstract domain A G Abs(p(£)) is strongly preserving for if (w.r.t. a semantic struc- 
ture S) when [-J^ is s.p. for if (w.r.t. S). We denote by SP^> C Abs(p(£)) the set of abstract domains 
that are s.p. for if. □ 

Example 5.6. Let us consider Example 4.1. It turns out that the abstract domain A is not s.p. for if 
because, by Lemma 5.3, lEXr] s = {3, 5} C {1, 2, 3, 4, 5} = 7 (T) = 7([EXr]£). □ 

Example 5.7. Let us consider the simple language C 3 tp ::= p | EXp and the Kripke structure K, 
depicted in Figure 4. The Kripke structure /C induces the semantic structure S = ({1, 2, 3}, J) such that 
I(p) = {1, 2, 3} and /(EX) = pre^. Hence, we have that \p\ s = {1, 2, 3}, [EXp] 5 = {1, 2, 3} and, for 
k > 1, [EX^p]^ = {1, 2, 3}. Let us consider the partitioning abstract domain A induced by the partition 
P = {[12], [3]} and related to p(S) by a and 7. Let us consider two different abstract semantic structures 
on A. 
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- The abstract semantic structure S A = (A, I A ) is induced as best correct approximation of / by A. 

- The abstract semantic structure S A = (A, I A ) is instead induced by the abstract Kripke structure 
A= (A,^,fi) in Figure 4. Hence, I A (p) = {[12], [3]} and I A (EX) = pre^j. 

S A is different from S A because I A (EX) ^ I A (EX). In fact, J A (EX)({[12]}) = a(prc^( 7 ({[12]}))) = 
a(pre^({l, 2})) = a({l}) = {[12]}, while 7^(EX)({[12]}) = prc^ ({[12]}) = 0. 
Let us show that both the abstract semantics |-]^ and J-J^j are s.p. for Jz?. 

- We have that Ms = {[12], [3]}, ]EXp]^ = a(pre^({l, 2, 3})) = a({l,2,3}) = {[12], [3]} and, 
for k > 1, lEX k pj A = {[12], [3]}. Thus, for any <p 6 C, Ms = l(Ms)- 

- We have that [p]^ = {[12], [3]}, [EXp] 5 ^ = pre^({[12], [3]}) = {[12], [3]} and, for k > 1, 
[EX fc p]<^ = {[12], [3]}. Thus, for any <p £ C, Ms = t(M^0- 

Consequently, by Lemma 5.3, both abstract semantics are s.p. for Jz? . □ 



5.2 The Most Abstract Strongly Preserving Domain 

As recalled in Section 2.3, a language Jz? and a semantic structure S for Jz? induce a corresponding logical 
partition Peg £ Part(E). By Lemma 5.1, it turns out that Peg is the coarsest strongly preserving partition- 
ing abstract domain for Jz?. This can be generalized to arbitrary abstract domains as follows. Let us define 

AD^ by: 

AD^ =M({Ms \<pe&}). 

Hence, AD eg is the closure under arbitrary intersections of the set of concrete semantics of formulae in Jz?. 
Observe that AD^f £ Abs(p(£)) because it is a Moore-family of p(£). 

Theorem 5.8. For any A £ Abs(p(£)), Ae SPy iff A C AD eg. 

Proof. Let \i = 7 o a £ uco(p(£)) and let £ uco(p(E)) be the uco associated to AD_$f, that is 
/ijSf(S) = D{Ms I <p G Jz?, SC M s }. Recall that A C AD % iff for any <p £ Jz?, Ms G 
(=>) For any <p 6 Jz?, we have that 7(a([^]s)) = M\s because, by Lemma 5.3, 7(a([y]]s)) = 
7(«(7(Ml)))=7(Ml) = [*. 

(<=) By hypothesis, 7(a([y>[ < s)) = Mis for any <p. Let us show by structural induction on tp £ Jz? that 

Ms = 7(Ml). 

- ip=p£ AP^: by using the hypothesis, |p] 5 = 7p( a p(fp]s)) = 7p( Ms)- 

- V = /fall ■ ■ -,fn)- 

IfM, <fin)h = [by hypothesis] 

7(a(I/(Vi) • • • : 9?n)Js)) = [by definition] 

7("(/([<< 5 i]5, ■ ■ ■ , [Vnls))) = [by inductive hypothesis] 

TWfWMls), ■■■> idVnls)))) = [by definition] 
7 ([/(^,...^ n )^). 



Thus, by Lemma 5.3, A £ SPj?. □ 

Thus, ADjg is the most abstract domain that is s.p. for Jz? w.r.t. S. As a consequence, it turns out that 
A is s.p. for Jz? if and only if A represents with no loss of precision the concrete semantics of any formula 
in Jz?, that is \/<p £ Jz?. 7(a([[¥>]]s)) = Mis- Lemma 5.4 states that if a s.p. abstract semantics on a given 
abstract domain exists then this is unique. Nevertheless, Example 5.7 shows that this unique s.p. abstract 
semantics may be induced from different abstract semantic structures, i.e. different abstract interpretation 
functions. However, when Jz? is closed under conjunction, it turns out that on the most abstract s.p. domain 
ADcf , the abstract interpretation function is unique and is given by the best correct approximation I AT> ^ . 
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Theorem 5.9. Let if be closed under infinite logical conjunction and let — (AD &,P) be an abstract 
semantic structure on AD_jf . is s.p. for J£ then /" = / AD -^. 

Proof. Since if is closed under arbritrary logical conjunctions we have that AD^f = {[(^Js | f G if }. 
Thus, for any a G AD^f , there exists some y> G if such that a = [ip],s« = M^ 13 ^ ■ In fact, if a G AD % 
then a = \p\s, for some 93 G _Sf , so that, by Lemmata 5.3 and 5.4, a = \^p\s = ifH^i) = = 

Let p G AP. Then, by Lemma 5.4, [p] s « = [p]£ D ^ so that 7«(p) = 7 AD ^ (p). 
Let f e Op. Then, 

P(f)(ai, ...,a n ) — [by the observation above] 

^(/)(Ns»-.,Ws») = [by definition] 

lf(<Pi>-:<Pn)ls* = [byLemma5.4] 

lf{ Vu ...^ n )\^ = [by definition] 

I AD * (f)(yiij D * , = the observation above] 
J AD -(/)( ai ,...,a„). 

Thus, J J = I AD * . □ 

Hence, in the most abstract s.p. domain AD^f there is a unique choice for interpreting atoms and operations 
of if. 

In our generalized framework, strong preservation for partitions becomes a particular instance through 
the Galois insertion par/ad p . Moreover, when if is closed under infinite conjunction, it turns out that the 
most abstract s.p. domain AD % is partitioning if and only if if is also closed under negation. 

Proposition 5.10. 

(1) Pjsf- = par(AD^) and ad? (P x ) = P(AD^). 

(2) P is strongly preserving for if iff P par(AD eg) #ad p (P) C AD eg. 

(3) Let if be closed under conjunction. Then, AD eg is partitioning iff if is closed under logical negation. 

Proof. (1) Letp_jf G uco(p(E)) be the uco associated to AD_^. We have that par(AD^) = {[s]ad^ | s G 
S}, where [s]ad# = {«' G £ | pjf({s'}) = pj5f({s})}. We also have that s =s? s' iff V<p G if.s G 
N5 s' G M 5 iff PJ5f ({s}) = p^f({s'}), so that Ps? = par(AD^). Moreover, ad p (Psf) = 
ad p (par(AD^)) = P(ADj^). 

(2) P is s.p. for if iff P =^ P^f iff, by Point (1), P par(A^) iff, by Theorem 3.2, ad p (P) C AD ^. 

(3) Since if is closed under infinite logical conjunction, AD^? = {[[<p]s | <p G if}. Thus, if is closed 
under logical negation iff AD eg is closed under complementation C and this exactly means that AD eg is 
forward complete for the complement C. By Corollary 3.3, this latter fact happens iff AD eg is partitioning. 

□ 

In particular, when if is closed under conjunction but not under negation, it turns out that ad p (Pjf ) C 
ADjf, i.e. a proper loss of information occurs when the domain AD_j? is abstracted to the partition 
par(ADjsf) = Peg. On the other hand, when if is closed under conjunction and negation, we have that 
ad p (Ps? ) = AD eg and therefore, by Theorem 5.9, the abstract interpretation function on the partitioning 
abstract domain ad p (Ps? ) is uniquely determined. 

Example 5.11. Let us consider the traffic light controller K, in Example 2.2. As already observed, formulae 
of if have the following semantics in /C: 

lstopj K = {R,RY}; Igojfc = {G,Y}; [AXXstop]^ = {G,Y}; [AXX ff0 ] K = {R, RY} 

so that 

AD.^ = M{{Mk I <P G if}) = {0, {R, RY}, {G, Y}, {R, RY, G, Y}} 

and Peg = par(AD^f) = {{R, RY}, {G, Y}}. We denote by \xsg the uco associated to AD^>. As 
shown in Example 2.2, it turns out that no abstract Kripke structure that properly abstracts JC and strongly 
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Figure 5: Concrete (on the left) and abstract (on the right) Kripke structures. 

preserves Jz? can be defined. In our approach, the abstract domain AD_^ induces a corresponding strongly 
preserving abstract semantics [•]^ Dif : Jz? — ► AD se , where the best correct approximation of the operator 

AXX : p(S) -> p(S) on AD<g is: 

Use o AXX = {0^0, {R, RY} ^ {G, Y}, {G, Y} h-> {R, RY}, 

{R, RY, G, Y} h-> {R, RY, G,Y}}. □ 

Example 5.12. Consider the language CTL and the Kripke structure fC = (E, R, £) depicted in Figure 5, 
where the interpretation of temporal operators of CTL on KL is standard. It is well known that the coarsest 
s.p. partition Pctl can be obtained by refining the initial partition P = {1234, 5} induced by the labeling 
I through the Paige-Tarjan [42] algorithm, since Pctl coincides with bisimulation equivalence on JC. It 
is easy to check that Pctl = {12,3,4,5}. This partition determines (see point (2) in Section 2.3) the 
s.p. abstract Kripke structure depicted in Figure 5. Since CTL is closed under conjunction and negation, 
by Proposition 5.10 (1) and (3), it turns out that the most abstract s.p. domain Actl is partitioning and 
coincides with the following partitioning closure: 

ad p (P C TL) = {0, 12, 3, 4, 5, 34, 35, 45, 122, 124, 125, 345, 1234, 1235, 1245, 12345}. 

Let us now consider the following language Jz? 3 ip ::= p | q | <pi A ip 2 I EF[ ,2]</?, where EFm 21 is 
a time bounded reachability operator that is useful for quantitative temporal analysis [24], e.g., of discrete 
real-time systems [10, Chapter 16]. The standard interpretation of EF[ , 2 ] is as follows: s^^EF^]^ iff 
there exists a path S0S1S2S3 ... in /C starting from s = so and some n £ [0, 2] such that s n \= K (p. Let us 
characterize the semantics of formulae in Jzf : 

Mk = {1,2,3,4}; fck = {5}; [EF [0 , 2] pk = {1,2,3,4,5}; 

[EF [0 , 2] gk = {3,4,5}; [EF [0 , 2] (EF [0 , 2] ?)]x: = {1,2,3,4,5}; 

Ip A EF [0)3] ?] k - {3, 4}; [EF [0 , 2] (p A EF [0>2] q)} K = {1, 2, 3, 4, 5}. 

Thus, ADsc = M({1<pIk I V G ^}) = {0,5,34,345,1234,12345}. On the other hand, by Proposi- 
tion 5. 10(1), Psf = par(AD^f) = {12, 34, 5}. In this case, it turns out that ad p (Ps?) C AD^f. Moreover, 
analogously to Example 2.2, let us show that there exists no abstract transition relation C Peg x Peg that 
determines an abstract Kripke structure A = {Pse , which strongly preserves »£? . Let B = {1, 2}, 

B' = {3, 4} and B" = {5} be the blocks in Pse ■ Assume by contradiction that such an abstract Kripke 
structure A exists. 

(i) On the concrete model JC we have that 3(= EF^ig. Thus, by strong preservation, it must be that 
B'^ A EF [0i2] q. On the other hand, if B'^B and B^B" then B\= A EF [0j2] q and therefore, by 
weak preservation, we would have that l|=' c EF[o,2]'?, which is a contradiction. Thus, necessarily, 
B'^B". 

(ii) Let us observe that l^' c EF[ 2]EF[o j 2]'?- Hence, by strong preservation, B|=- 4 EF[q j 2]EF[ _2]9- If 
B^B" then, as in point (i), we would still have that l^^EF^]*?, i-e- a contradiction. Hence, 
necessarily, P->"P'. 
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(iii) From B^B' and B'^B", we would obtain that _B|=- 4 EF[ 0i 2] < ? that, as observed in point (ii), is a 
contradiction. 

Thus, this shows that it is not possible to define an abstract Kripke structure on the abstract state space Peg 
that strongly preserves _£f. The abstract domain AD eg induces a corresponding abstract semantics [-]^ D ^ 
that instead strongly preserves Jzf . In this case, the best correct approximation of the operator EF[ 0)2 j on 
AD eg is: 

H<go EF [0 ,2] = {0 i-> 0, 5 h-> 345, 34 h-> 12345, 345 h-> 12345, 

1234 i — ► 12345, 12345 h-> 12345}. □ 



6 Strong Preservation and Completeness 

In this section we establish a precise correspondence between generalized strong preservation of abstract 
models and completeness of abstract interpretations, so that the problem of minimally refining an abstract 
model in order to get strong preservation can be formulated as a complete domain refinement in abstract 
interpretation. 

6.1 Forward Complete Shells 

Let us consider forward completeness of abstract domains A G Abs(C) for generic rt-ary concrete op- 
erations / : C n — > C, with n > 0. Hence, A is forward complete for /, or simply /-complete, 
when / o (fj, At ...,fjL A ) = p A o f o (fi A ,...,[i A ), that is, for any x G C n , f{p, A {xi),...,p, A {x n )) = 
(j, A (f([M A (xi), LiA(%n)))- Equivalently, A is /-complete when for any a G A n , f{'){ai),..., r y{a n )) = 
l( a (f(l( a i)i •••) l( a n))))- For a set of operations F C Fun(C), A is F-complete when A is /-complete 
for each / G F. Observe that F-completeness for an abstract domain A means that the associated closure 
fi A is closed under the image of functions in F, namely F(fi A ) C fi A . Also note that when k : C° — > C, 
i.e. k G C is a constant, A is fc-complete iff fc is precisely represented in A, i.e. j(a(k)) = k. Let 
us also note that an abstract domain A G Abs(C) is always forward meet-complete because any uco is 
Moore-closed. 

Let us first note that forward ^-complete shells always exist. Let S^f ■ Abs(C) — > Abs(C) be defined 
as .y F {A) = U {X G Abs(C) | X C A, X is F-complete}. 

Lemma 6.1. J^f(A) is the F -complete shell of A. 

Proof. Let r\ = U{p G uco(C) | p C /i^, p is F-complete} = n{p G uco(C) | p C p is F-complete}. 
Let / G F, with jj(/) = n > (if jj(/) = then, trivially, / G ?y) and c G if. Consider any p G uco(C) 
that is F-complete and such that p C /i. Since r/ C p, we have that c G p" and therefore f(c) G p because 
pis F-complete. Thus, /(c) G 77, i.e., 77 is F-complete. □ 

A forward complete shell S^p(A) is a more concrete abstraction than A. How to characterize ^f{A)1 
It is here useful to view abstract domains as closure operators on the concrete domain, i.e. as subsets 
of C. Hence, A is viewed as the subset img^^) = 7(A) of the concrete domain C so that 5^f{A) 
can be characterized as the least Moore-closed subset of C that contains img^p^) and is forward in- 
complete. We need to characterize the least amount of concrete information that must be added to 7(A) in 
order to get forward completeness. It turns out that forward complete shells admit a constructive fixpoint 
characterization. Let _F uco : uco(C) — » uco (C) be defined as follows: F uco (p) = M(F(p)), namely 
F uco (p) is the most abstract domain that contains the image of F on p. Observe that the operator Xp.fi A l~l 
F uco (p) : uco(C) — > uco(C) is monotone. 

Lemma 6.2. .Y F (A) = gfp(Ap.p j4 n F uco (p)). 

Proof Observe that a uco p is F-complete iff F(p) C p iff M(F(p)) = F uco (p) C p iff p C F uco (p). 
Thus, we have that (A) = U{p G uco(C) | p C p^, pis F-complete} = U{p G uco(C) | p C pa, P E 
F uco (p)} = U{p G uco(C) I p C n F uco (p)} = gf P (Ap.p A n F uco (p)). □ 
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Thus, it turns out that the lower iteration sequence of \p.[iA n-F uco (p) in uco(C) converges to the complete 
shell S^f(ha)- 

Example 6.3. Let us consider the square operator on sets of integers sq : p(Z) — ► p(Z), i.e. sq(A) = 
A 2 = {x 2 | x G X}, and the abstract domain Sign = {0, Z <0 , {0}, Z >0 , Z}. As observed in Sec- 
tion 2.2.2, Sign is not forward complete for the square operator. Let us apply Lemma 6.2 in order to 
compute the forward complete shell ,y sci (Sign). Observe that 

2 = G Sign; {0} 2 = {0} G Sign; I? <0 = Z 2 >Q = I? <£ Sign. 

Thus, the first step of iteration refines Sign to Sign U {Z 2 } (notice that this is an abstract domain because 
it is Moore-closed). Then, (Z 2 ) 2 = Z 2 g" Sign U {Z 2 }, so that on the second step of iteration we obtain 
Sign U {Z 2 , 1?' }. In general, for n > 1, the n-th step of iteration provides Sign U {Z 2 fc G [1, n]}, so 
that the complete shell S^ s<l {Sign) coincides with the least fixpoint Sign U {Z 2 | n > 1}. □ 

Finally, the following easy observation will be useful later on. 

Lemma 6.4. Let F,GC Fun(C). Then, = S?g if and only if for any A G Abs(C), A is F -complete 
<f> A is G-complete. 

Proof. If A is F-complete then A = 5?f (A) = 5^g and therefore A is G-complete as well. 
O) This follows fmm,y F (A) = U{A G Abs(G) A C A, A is F-complete} = U{A G Abs(C*) | A C 
A, A is G-complete} = y G (A). □ 

6.2 Strong Preservation and Complete Shells 

Let Jz? be a language with atoms in AP^f and operators in Op ^ and let S = (£, /) be a semantic structure 
for Jz? so that and Op ^ denote, respectively, the corresponding sets of semantic interpretations of 

atoms and operators. It turns out that forward completeness for AP ^ and Op ^ implies strong preserva- 
tion for Jzf . 

Lemma 6.5. If A G Abs(p(£)) is forward complete for AP % and Op % then A is s.p.for Jzf. 

Proof. By Theorem 5.8, we show that A □ AD_j?. Let us show by induction that for any ip G Jz?, 

- <p = p G AP <£\ since ^4 is forward complete forp, [p]s = p = -f(a(p)) = 7 (a ([[pis)). 

- V = /(</>i, ■■■,fn) with / G 0p^: 

lf(tPi,-,<Pn)}s= [by definition] 
fdfih, •••) I^nls) = [by inductive hypothesis] 
/(7(a([v3i]s)), — , 7(a([<PnJs))) = t smce ^ is forward complete for /] 
7 (a (/ (7 (a ( \tpi ] s ) ) , ■ ■ ■ , 7 (" ( [y>n 1 5 ) ) ) ) ) = [ b Y inductive hypothesis and by definition] 

7(a([/(Vi,~,¥>n)]s)). 

□ 

On the other hand, the converse is not true, that is strong preservation does not imply forward com- 
pleteness, as shown by the following example. 

Example 6.6. Let us consider again Example 5.7 where we showed that the partitioning abstract do- 
main A = p(P)c is s.p. for Jzf. However, A is not forward complete for Op^ = {prc^}. In fact: 
7 (a(pre^( 7 (a({3}))))) = 7 (a(pre^({3}))) = 7 (a({2,3})) = {1,2,3} while pre^( 7 (a({3}))) = 
Pre^({3}) = {2,3}. □ 

Instead, it turns out that most abstract s.p. domains can be characterized as forward complete shells. 
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6.2.1 Complete Shells as Strongly Preserving Abstract Domains 

Partition refinement algorithms for computing behavioural equivalences like bisimulation [42], simulation 
equivalence [5, 35, 48] and (divergence blind) stuttering equivalence [32] are used in standard abstract 
model checking to compute the coarsest strongly preserving partition of temporal languages like CTL* or 
the /i-calculus for the case of bisimulation equivalence, ACTL* for simulation equivalence and CTL*-X 
for stuttering equivalence. 

Given a language Jz? and a concrete state space E, these partition refinement algorithms work by it- 
eratively refining an initial partition P within the lattice of partitions Part(E) until the fixpoint P<£ is 
reached. The input partition P determines the set APp of atoms and their interpretation Ip as fol- 
lows: APp = {pb I B G P} and Ip(pb) = B. More in general, any X C p(E) determines a set 
{px}xex of atoms with interpretation Ix{px) = X. In particular, this can be done for an abstract do- 
main A G Abs(p(E)) by considering its concretization j(A) C E, namely A is viewed as a set of atoms 
with interpretation Ia{o) = j( a )- Thus, an abstract domain A G Abs(p(E)) together with a set of func- 
tions F C Fun(p(E)) determine a language Jz?a.f, with atoms in A, operations in F and endowed with 
a semantic structure Sa.f = (E,/a U Ip) such that for any a G A, Ia{&) = 7(a) and for any / G F, 
-Zf(/) = /. Therefore, the most abstract s.p. domain AD^ F generalizes in our framework the output 
of a partition refinement algorithm for some language. Accordingly, we aim at characterizing AD <g A F 
as the output of a refinement process of the initial domain A within the lattice Abs(p(E)) of abstract do- 
mains. The following result shows that forward completeness for the operations in F is the right notion of 
refinement to be used for the case of abstract domains. 

Theorem 6.7. Let A G Abs(p(E)), F C Fun(p(E)) and assume that S^a.f is closed under infinite 
logical conjunction. Then, AD_jf A F = S^f{A). 

Proof. Since ££a,f is closed under conjunction we have that AD % A F = {[v?]<s A F | (f G J£a,f}- Let us 
first prove that {[ipjs^ F | ip G J£a,f} C J?f(A) by structural induction on cp G ^a,f'- 

- p = aeA: laj SA F = I A (a) = 7(0) G j(A) C y F {A). 

- tp = f(ip u ...,ip n ) with / e F: lf(<Pu:.,<p n )ls A ,F = /(I^Js^F.-.WsA.r). where ' b y 
inductive hypothesis, [y>j]]s A F G yp(A). Therefore, since S fi p(A) is forward /-complete, we have 

Let us now prove the opposite inclusion. Let us first observe that AD_^f 4 F is forward incomplete. For 
simplicity of notation, consider / £ F with (((/) = 1. If [v?]<s A F G AD^f 4 F , where ip G J£a,f, then, 
f(<p) e %a,f and f(MsA, F ) = U(<P)hA,* e AD X4 F . By Lemma 6.2, we know that & A {A) = 
n Q eOrd(A/3./XA l~l J\4(F(p))) a -^ (T uco (p(£))), so that it is sufficient to prove by transfinite induction on 
a G Ord that 

(Xp.HA n M(F(p))) a 't(T uco{p{s)) ) C AD_jf A F . 

- a = 0: (Ap./i^ n A^( J F 1 (p))) oa (Tuco(p(E) ) ) = T uco(p(s)) = {E} G 7(A) C AD^ A F . 

- a + 1: By inductive hypothesis, (Xp.pA n 7M(F(p))) Q,J ' (T uco ( p (e))) £ AD^ p. Moreover, 
AD_j? A F is Moore-closed and forward F-complete (hence closed under F). Thus, A4(F((Xp.fj, A n 
A4(F(p)))^(T uco(p(s)) ))) C AD^ F , namely (Ap. MA nA^P))) Q+U (T uco(p(s)) ) C AD^ A F 

- limit ordinal a: This follows from 

(Ap.^ n M(F(p))) a ' l (T uco(p{s)) ) = n 0<a (Xp.n A nM(F(p)))^(T uco(pm) ) 

because, by inductive hypothesis, (Xp.p,A n A / ((i< 1 (/9)))' 3 "''(T uco ( p ( S ))) C AD_j? 4 F , for any f3 < a. 

□ 



21 



6.2.2 Strongly Preserving Abstract Domains as Complete Shells 

Let us consider a language «5f, with atoms in AP eg and operators in Op eg, and a semantic structure 
S = (E, /). As an immediate consequence of Theorem 6.7, the most abstract s.p. domain AD^? for j£f 
w.r.t. S can be characterized as the forward AP eg U Op eg -complete shell of the most abstract domain 
{£}■ 

Corollary 6.8. Let «5f be closed under infinite logical conjunction. Then, AD_s? = ^p^uop^ ({E}). 

Let us also observe that AD eg can be equivalently characterized as the forward Op eg -complete shell 
of an initial abstract domain Ai(AP^) induced by atoms: AD eg = S^op^ (A4(AP eg )). 

6.2.3 Strongly Preserving Partitions 

Theorem 6.7 and Corollary 6.8 provide an elegant generalization of partition refinement algorithms for 
strong preservation from an abstract interpretation perspective. 

Given a language S£ with operators in Op eg and a corresponding semantic structure S = (E,/), as 
recalled in Section 6.2.1, an input partition P G Part(E) for a partition refinement algorithm determines 
the set APjg = {ps \ B G P} of atoms of Jz? and their interpretation I(ps) = B. Thus, M(AP eg) = 
A4(P) = P U {0, £}. It turns out that the coarsest s.p. partition Peg for S£ can be characterized in our 
abstract domain-based approach as follows. 

Corollary 6.9. Let be closed under infinite logical conjunction. 

(1) Pjg = P^ 0p ^(M(P))). 

(2) Let Jz? be closed under logical negation. Then, ad p (Pj? ) = S^op^ {-M-{P)). 

Proof. (1) By Corollary 6.8, AD^ = ^ p x {M{P)) and by Proposition 5.10 (1), P^g = par(AD jg) = 
pax(^opJM(P))). 

(2) By Proposition 5.10 (1) and (3), Corollary 6.8 and point (1), a,d p (Pjg ) = ad p (par(AD &)) = AD jg = 
^opJM(P)). □ 

It is worth remarking that when C is not closed under negation, by Proposition 5.10 (3) and Corol- 
lary 6.9 (2), it turns out that ad p (Psf ) □ 5^op^{M-{P))- This means that when «5f is not closed under 
negation the output partition Peg of any partition refinement algorithm for achieving strong preservation 
for Jzf is not optimal within the lattice of abstract domains. 

Example 6.10. Let us consider the language _Sf and the concrete Kripke structure JC in Example 5.12. 
The labeling determines the initial partition P = {p = 1234, q = 5} G Part(E), so that M(P) = 
{0,1234,5,12345} G Abs(p(E)). Here, Op eg = {A,EF[o !2 ]}. Abstract domains are Moore-closed so 
that Y p^ = ^ef [0 , 2] ■ Let us compute y E p [0 2l (M(P)). 

A = M(P) = {0, 1234, 5, 12345} 

A 1 = A nM{EF l0 ^(A )) =X(A UEF [0 ^ 2] (A )) 

= M({0, 1234, 5, 12345} U {EF [0 . 2] ({5}) = 345}) = {0, 5, 34, 1234, 12345} 
A2 — A\ (fixpoint) 

As already observed in Example 5.12, Peg = {12, 34, 5} is such that ad p (Pjf ) C [i^g and it is not possible 
to define a strongly preserving abstract Kripke structure on the abstract space Peg. □ 

7 An Application to some Behavioural Equivalences 

It is well known that some temporal languages like CTL, ACTL and CTL-X induce state logical equiv- 
alences that coincide with standard behavioural equivalences like bisimulation equivalence for CTL, (di- 
vergence blind) stuttering equivalence for CTL-X and simulation equivalence for ACTL. We derive here 
a novel characterization of these behavioural equivalences in terms of forward completeness of abstract 
interpretations. 
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7.1 Bisimulation Equivalence 



Let K = (£, be a Kripke structure over some set AP of atomic propositions. A relation UCSxS 
is a bisimulation on K, if for any s, s' G S such that sPs': 



(2) For any i G £ such that s^t, there exists i' G £ such that s'-»t' and iitt'; 

(3) s'i?s, i.e. R is symmetric. 

Since the empty relation is a bisimulation and bisimulations are closed under union, it turns out that the 
largest (as a set) bisimulation relation exists. This largest bisimulation is an equivalence relation called 
bisimulation equivalence and is denoted by ^bis while Pb; s G Part(S) denotes the corresponding partition. 
Thus, a partition P G Part(S) is a bisimulation on K, when P -< Pbi s . 

It is well known [4] that when K, is finitely branching, bisimulation equivalence coincides with the 
state equivalence induced by CTL, i.e., Pbis = P:tl (the same holds for CTL* and the /i-calculus, see 
e.g. [19, Lemma 6.2.0.5]). Moreover, it is known (see e.g. [49, Section 12]) that it is enough to consider 
finitary Hennessy-Milner logic [34], i.e. a language including propositional logic and the existential 
next operator in order to have that P^ x = Pbis: 



where, as usual, the interpretation EX of EX in /C is prc^. A number of algorithms for computing 
bisimulation equivalence exists [3, 23, 38, 42]. The Paige-Tarjan algorithm [42] runs in 0(|->| log(|S|))- 
time and is the most time-efficient algorithm that computes bisimulation equivalence. 

We recalled above that Pcg x = Pctl- In our framework, this can be obtained as a consequence of the 
fact that the most abstract s.p. domains for CTL and J??i coincide. 

Lemma 7.1. Let JC be finitely branching. Then, ADctl = AD^ = ad p (Pbi S ). 

Proof. Let Op CTL = {n, C, AX, EX, AU, EU, AR, ER} be the set of standard interpretations of the 
operators of CTL on /C, so that AX = pre., and EX = pre^. We show that fi G uco(p(S)) is forward 
complete for Op CTL iff ll is forward complete for {C^prc^}. Assume that /i is forward complete for 
{C, pre^}. Let us first prove that ll is forward complete for pfc^ = AX: 



(1) £{s) = *(«'); 



/X O pi'C^ O /X 

/x o C o prc^ oC o /x 
/ioCo pre^ o^ioCoju 
zx o C o fi o prcu o/i o C o fi 
Co^o pre^ o^ioCoju 
C o prc^ o/i o C o ji 
C o pre^ oC o fji 



[by definition of pre„J 
[as ll is complete for C] 



[as ll is complete for pre^] 
[as ll is complete for C] 
[as ll is complete for pre_J 



[as ll is complete for C] 
[by definition of pfe^ ] 



prc^ o /i 



The following fixpoint characterizations are well known [10]: 



- AU(5i,5 2 ) 



lfp(AZ.S 2 U (Si n pre_>(Z))); 



EU(5i,5 2 ) 



lfp(\Z.S 2 U (5i npre_(Z))); 



- AR(5i,5 2 ) 



gfp(AZ.5 2 n( 1 5iUpTe^(^))); 



- ER(5i,5 2 ) 



gfp(AZ.S 2 n (Si Upre_(Z))). 
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Let us show that // is forward complete for AU. The proofs for the remaining operators in Op CTL are 
analogous. We need to show that (i(\fp(AZ.[x(S 2 ) U (//(Si) n prc^(Z)))) = lfp(AZ.//(S 2 ) U (//(Si) l~l 
pre_ > (Z))). Let us show that // is forward complete for the function AZ.//(S 2 ) U (//(Si) (~l pfe_ > (Z)): 

/i(//(S 2 ) U (//(Si) n pre_ > (/i(Z)))) = [as // is complete for pre^] 

//(//(S 2 ) U (//(Si) n //(pre _>(//(£))))) = [as // is complete for n] 

//(//(S 2 ) U //(//(Si) fl //(pre _>(//(£))))) = [as // is complete for U] 

//(S 2 ) U //(//(Si) n //(pre _>(//(£)))) = [as // is complete for n] 

//(S2) U (//(Si) fl //(pfe_ > (//(Z)))) = [as // is complete for pre^] 
//(S 2 )U(/i(Si)n P Te_ > (//(Z))). 

Observe that since // is additive (and therefore continuous) we have that /z(0) = 0. Moreover, let us 
show that from the hypothesis that K. is finitely branching it follows that pre^ is continuous. First, notice 
that pfc^ is continuous iff pre_> is co-continuous. Hence, let us check that pre_> is co-continuous. Let 
{Xi}ifzf$ be a decreasing chain of subsets of £ and let x £ n.; 6 N pre_>(-Xi). Since K. is finitely branching, 
post^({a;}) is finite so that there exists some k £ N such that for any j > 0, post^({x}) n Xk = 
post^({a;}) fl Xk+j- Hence, there exists some z £ n.; S NAj H post^({a;}), so that x £ pre_ > (riigN^i)- 
Therefore, since pre,, is continuous we also have that XZ. //(S2) U (//(Si) fl pfe^(^)) is continuous. We 
can therefore apply Lemma 2.1 sothat//(lfp(AZ.//(S 2 )U(//(Si)nprc^(Z)))) = lfp(AZ.//(S 2 )U(//(Si)n 
pTe^(Z))). 

Thus, by Lemma 6.4, J^rc iPre } = ^Op CTL > so that, by Corollary 6.8, AD^ = ADctl- Finally, since 
JC is finitely branching and Jz?i is closed under conjunction and negation, ad p (Psf 1 ) = ad p (Pbi s ) = 
adP(P sfl ) = AD^. □ 

As a consequence of this and of the results in Section 6 (in particular of Corollary 6.9), any partition re- 
finement algorithm Alg bis for computing bisimulation equivalence on a finitely branching Kripke structure, 
like those in [3, 23, 38, 42], can be characterized as a complete shell refinement as follows: 

Alg bis (P)=par(^ {C)Pre ^ } (A4(P))). 

Thus, Alg bis is viewed as an algorithm for computing a particular abstraction, that is par, of a partic- 
ular complete shell, that is ^rc,pre }■ 1° particular, this holds for the Paige-Tarjan algorithm [42] and 
leads to design a generalized Paige-Tarjan-like procedure for computing most abstract strongly preserving 
domains [45]. 

Finally, our abstract intepretation-based approach allows us to give the following nice characteriza- 
tion of bisimulation for a partition P in terms of forward completeness for the corresponding partitioning 
abstract domain ad p (P). 

Theorem 7.2. Let P £ Part(£). Then, P is a bisimulation on 1C iff ad p (P) is forward complete for 
{p\p £ AP} U {prc^}. 

Proof We view ad p (P) as a uco so that ad p (P) = {U.P,; £ p(£) | {PJ C P}. Let us first ob- 
serve that P < Pi iff ad p (P) is forward complete for {p C £ | p £ AP}. On the one hand, since 
p = {s £ £ j p £ i(s)}, if s £ p and s £ P, for some P £ P, then P C [s]^ C p. Hence, p is a union of 
some blocks of P and therefore p £ ad p (P). On the other hand, if ad p (P) contains {p C £ | p £ AP} 
then, for any p £ AP, p is a union of some blocks in P. Thus, for any P £ P, either P C p or P Hp = 0. 
Consequently, if s £ P then P C [s]^ £ P^. 

Let us now note that ad p (P) is forward complete for pre^ iff for any block P £ P, pre^(P) is a (pos- 
sibly empty) union of blocks of P: this holds because prc^ is additive, and therefore if {Pi} C P 
then pre_ > (UjPi) = Uipre^(Pi). The fact that, for some P £ P, prc^(P) = UjPj, for some blocks 
{Pi} C P, implies that if s £ pre^(P), i.e., s->t for some / £ P, then s £ P_,, for some j, and if s' £ Bj 
then s' £ pre^(P), i.e., s'->i' for some /' £ P, namely condition (2) of bisimulation for P holds. On 
the other hand, if condition (2) of bisimulation for P holds then if s, s' £ B' and s £ pre^(P), for some 
P, P' £ P, then s'->f' for some t £ P, i.e., s' £ pre^(P), and therefore pre^(P) is a union of blocks of 
P. This closes the proof. □ 



24 



7.1.1 On the Smallest Abstract Transition Relation 

As recalled in Section 2.3, the abstract Kripke structure A = (Pbis, ^ 33 , strongly preserves CTL, 
where Pi^ 33 P 2 iff there exist si £ B\ and s 2 £ B 2 such that si^s 2 , and i^(B) = U se B£(.s). As a 
simple and elegant consequence of our approach, it is easy to show that -^ 33 is the unique (and therefore 
the smallest) abstract transition relation on Pbis that induces strong preservation for CTL. 

Let K. = (£, -f, £) be finitely branching so that, by Lemma 7.1, AD^ = ad p (Pbis) = p(Pbis)- Recall 
that the concrete interpretation / induced by /C is such that /(EX) = prc^. By Theorem 5.9, the unique 
interpretation of atoms and operations in Jz?i on the abstract domain p(Pbis) that gives rise to a s.p. abstract 
semantics is the best correct approximation /p( Pbi =). Hence, if ^4 = (Pbis, is strongly preserving for 

CTL then the interpretation pre^tt of EX induced by A must coincide with J p ( PbiB )(EX). Consequently, 
pre^a = a o pre^ 07 so that for any Bi, P 2 £ Pbis, we have that B\~^Bi iff B\ £ a(pre^(7({P 2 }))). 
Therefore, we conclude by observing that P x £ a(prc^(7({P 2 }))) iff Pi^ 33 P 2 - 

We believe that a similar reasoning could be also useful for other languages Jz? in order to prove that 
the smallest abstract transition relation on Peg that induces strong preservation exists. For example, this 
has been proved for the case of ACTL by Bustan and Grumberg [5]. 

7.2 Stuttering Equivalence 

Lamport's criticism [37] of the next-time operator X in CTL/CTL* is well known. This motivated the 
study of temporal logics CTL-X/CTL*-X obtained from CTL/CTL* by removing the next-time operator 
and this led to study notions of behavioural stutte ring-based equivalences [4, 22, 32]. We are interested 
here in divergence blind stuttering (dbs for short) equivalence. Let K, = (£, -f, i) be a Kripke structure 
over a set AP of atoms. A relation R C £ x E is a divergence blind stuttering relation on K. if for any 
s,s' £ £ such that sRs': 

(1) t{s)=l{s'); 

(2) If s-^t then there exist t , ...,t k £ E, with k > 0, such that: (i) to = s'; (ii) for all i £ [0, k - 1], 

ti^ti+i and sRti, (iii) tRtk\ 

(3) s'Rs, i.e. R is symmetric. 

Observe that condition (2) allows the case k = and this simply boils down to requiring that tRs' . Since 
the empty relation is a dbs relation and dbs relations are closed under union, it turns out that the largest 
dbs relation relation exists. It turns out that this largest dbs relation is an equivalence relation called 
dbs equivalence and is denoted by ~dbs while Pdbs £ Part(E) denotes the corresponding partition. In 
particular, a partition P £ Part(E) is a dbs relation on IC when when P ^ Pdbs- 

De Nicola and Vaandrager [22, Theorem 3.2.5] showed that for finite Kripke structures and for an 
interpretation of universal/existential path quantifiers over all the, possibly finite, prefixes, dbs equivalence 
coincides with the state equivalence induced from the language CTL-X (this also holds for CTL*-X), 
that is Pdbs = Pctl-x- This is not true with the standard interpretation of path quantifiers over infinite 
paths, since this requires a divergence sensitive notion of stuttering (see the details in [22]). Groote and 
Vaandrager [32] presented a partition refinement algorithm that computes the partition Pdbs in 0(|E| |->|)- 
time. 

We provide a characterization of divergence blind stuttering equivalence as the state equivalence in- 
duced by the following language that includes propositional logic and the existential until operator EU, 
where the interpretation of the existential path quantifier is standard, i.e. over infinite paths: 

^2 3 <P "= V I fi A ifi2 I ^ I EU(pi,p 2 ) 

Since the transition relation -> is assumed to be total, let us recall that the standard semantics EU^ : 
p(E) 2 — > p(E) of the existential until operator is as follows: 

EU_»(5i, 5 2 ) = S 2 U {s £ Si I 3s , s n £ E, with n > 0, such that (i) s = s, 

(ii) Vi £ [0, n — 1]. s,; £ Si and Si^s i+ i, (iii) s„ £ S 2 }. 
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The following result characterizes a dbs partition P in terms of forward completeness for the corresponding 
partitioning abstract domain ad p (P). 

Theorem 7.3. Let P G Part(E). Then, P € Part(E) is a dbs partition on K, iff &d p (P) is forward 
complete for {p | p G AP} U {EU^}. 

Proof. As already shown in the proof of Theorem 7.2, it turns out that P < Pi iff ad p (P) is forward 
complete for {p C E | p 6 AP}. Thus, it remains to show P G Part(E) satisfies condition (2) of the 
definition of dbs relation iff ad p (P) is forward complete for EU^. Let us first observe that P G Part(E) 
satisfies this condition (2) iff for any B x , B 2 G P, EU_>(Bi, B 2 ) = B x U B 2 . 

(=>) If Bi = B 2 thenEU_(Bi,Si) = B 1 . Otherwise, assume that Bi ^ B 2 . If B 2 C EU_»(Bi,B 2 ) Q 
Bi U B 2 then there exists s G EU^(5i,B 2 ) such that s G B\. Thus, if s' G Bi then, by condition (2), 
s' G EU_(Bi, B 2 ). This imphes that EU_(Bi, B 2 ) = B x U B 2 . 

(<*=) Let B G P, s, s' G B and s->i. If i G B then condition (2) is satisfied. Otherwise, t G B', for some 
B' G P, with B ^ B' . Thus, s G EU^(B, B') and therefore ELU(B, B') = B U B'. This means that 
condition (2) is satisfied for P. 

To complete the proof it is now sufficient to show that if, for any Bi, B 2 G P, ELI^(Bi, B 2 ) = B\ U B 2 
then ad p (P) is forward complete for ELU, i.e., for any {B t } ieI , {B 3 } jeJ C P, EU^(U l B i , UjBj) = 
UfcBfc, for some {B k }keK Q P- The function EU^ is additive in its second argument, thus we only need 
to show that, for any B G P, EU^(U,6 t ,B) = U k B k , namely if s G EU-^UjB,, B) and s G B\ for 
some B' G P, then B' C EU^(U 4 B l; B). If s G EU^(U 4 B l; B) and s G B', for some B' G {BJ;, 
then there exist n > and s , s„ G £ such that s = s, Vj G [0, n — l].Sj G UjBj and Sj->s J+1 , and 
s„ G B. Let us prove by induction on n G N that if s' G B' then s' G EU_> (UjBj, B). 

(n = 0): In this case s G U^B^ and s G B = B'. Hence, for some fc, s G B& = B = B' and therefore 
s G EU^(B, B). By hypothesis, EU^(B, B) = B. Moreover, EU^ is monotone on its first component 
and therefore B' = B = EU_(B, B) C EU^(U 4 B l; B). 

(n+1): Suppose that there exist so, s Il+ i G £ such that sq = s,Vj £ [0,Tx].Sj G U^B^ and Sj^Sj +i, and 
s„+i G B. Let s„ G B fe , for some B fc G {Bj} ieJ . Then, s G EU^(U 4 B t , B fc ) and s = s ^si^...^s„. 
Since this finite path has length n, by inductive hypothesis, s' G EU^(UiBj, B&). Hence, there exist 
r , ■■■ i r m G £, with m > 0, such that s' = r , Vj G [0,m — l].rj G UjBj and r\j->rj +1 , and r m G B^.. 
Moreover, since s n ->s„_|_i, we have that s n G EU_>(Bfe,B). By hypothesis, EU^ (B kl B) = B k U B, 
and therefore r m G EU^(Bfc,B). Thus, there exist qo,...,qi G £, with I > 0, such that r m = qo, 
Vj G [0,2 — l].qj G Bfe and qj^qj + i, and G B. We have thus found the following finite path: 
s' = ro->ri->...->r m = qo->qx->...-*qi, where all the states in the sequence but the last one qi belong to 
UtBi, while qi G B. This means that s' G EU^(U,B„ B). □ 

As a consequence, we obtain a characterization of dbs equivalence as the state equivalence induced by 
the standard interpretation of the language Jz? 2 - 

Corollary 7.4. Let E be finite. Then, P d b s = P%- 

Proof. By definition, P d b s = Yp art (£){P G Part(E) | P is a dbs relation on K.}. By Theorem 7.3, 
Pdbs = Ypart(S){P G Part(E) | ad p (P) is complete for {p | p G ^1P} U {ELL,}}. By Theo- 
rem 3.2, ad p is co-additive on Part(E)v, that is ad p preserves lub's in Part(E)^. Hence, ad p (Pdbs) = 
UAbs( P (s)){ad p (P) G Abs(p(E)) | P G Part(E), ad p (P) is complete for {p \p G AP} U {ELU}}. 
By Theorem 3.2, Abs par (p(E)) = {ad p (P) | P G Part(E)} so that ad p (P dbs ) = U Abs (p( S )){A G 
Abs par (p(E)) | A is complete for {p \ p G AP} U {EU^}}. By Corollary 3.3, A G Abs par (p(E)) 
iff A is forward complete for C, so that ad p (Pdbs) = UAbs(p(E)) {A G Abs(p(E)) | A is complete 
for {p | p G AP} U {C,EU^}}. Then, we note that A is forward complete for {p | p G AP} iff 
A C M({p | P G AP}). Hence, ad p (P dbs ) = U Ahs(pm {A G Abs(p(E)) | A C | p G AP}), A 

is complete for {C,EU^}} = ^{C,EU J }(- y ^({P I P G AP})). Finally, since E is finite and there- 
fore closure under infinite conjunction boils down to closure under finite conjunction, by Corollary 6.8, 
^{C,EU^}{M{{p | p G AP})) = AD^ 2 . Thus, by Proposition 5.10 (1), ad p (P dbs ) = AD^ 2 , so that 
P dbs ' = par(ad p (P dbs )) = par(AD^ 2 ) = P<&. □ 
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As a consequence of Corollary 6.9, the Groote-Vaandrager algorithm [32] GV for computing dsb equiv- 
alence on a finite Kripke structure can be characterized as a complete shell refinement as follows: 

GV(P)=par(^ {C , EU ^ } (X(P))). 

7.3 Simulation Preorder and Equivalence 

Simulations are possibly nonsymmetric bisimulations, that is R C £ x £ is a simulation on a Kripke 
structure K, = (£, ->-, £) if for any s, s' G S such that sPs': 

(1) *(*') C £(s); 

(2) For any t £ E such that s^t, there exists t' G £ such that s'-»-t' and 

The empty relation is a simulation and simulation relations are closed under union, so that the largest simu- 
lation relation exists. It turns out that the largest simulation is a preorder relation called similarity preorder 
and denoted by i? S i m G PreOrd(S). Therefore, a preorder relation R G PreOrd(E) is a simulation on JC 
when R C i? s j m . Simulation equivalence ~ s i meq C S x £ is the symmetric closure of i? S i m : s ~ s i meq s' 
iff there exist two simulation relations i? x and R 2 such that ,si? 1 s' and s'R 2 s. P s i meq G Part(S) denotes 
the partition corresponding to ~ S i mcq . 

A number of algorithms for computing simulation equivalence have been proposed [2, 5, 12, 27, 35] 
and some of them like [2, 35] first compute the similarity preorder and then from it they obtain simulation 
equivalence. The problem of computing simulation equivalence is important in model checking because, 
as recalled in Section 2.3, simulation equivalence strongly preserves ACTL so that P s i mcq = -Pactl (see 
[33, Section 4]). Recall that ACTL is obtained by restricting CTL, as defined in Section 4.1, to universal 
quantifiers and by allowing negation on atomic propositions only: 

ACTL 3 ip ::= p | | tp 1 A tp 2 \ ipi V tp 2 \ AXip \ AU(ipi, </? 2 ) I AR(<£x, tp 2 ) 

It turns out that the most abstract s.p. domain for ACTL can be obtained as the most abstract s.p. 
domain for the following sublanguage Jz?3: 

_S?3 3 f ::= p | -ip | (pi A tp 2 \ tpi V tp 2 AXip 

Lemma 7.5. Let K, be finitely branching. Then, ADactl = AD _sf 3 . 

Proof. Let Op ACTh = {n, U, AX, AU, AR} be the set of standard interpretations of the operators of 
ACTL on K,, so that AX = prc^. Analogously to the proof of Lemma 7.1, as a consequence of 
the least/greatest fixpoint characterizations of AU and AR, it turns out that for any A G Abs(p(E)), 
A is forward complete for OPactl iff ^ i s forward complete for {U,pre^}. Thus, by Lemma 6.4, 
^{u,p-fo^} = ^b PACTL , so that, by Corollary 6.8, AD^ 3 = AD AC tl- □ 

Thus, by Proposition 5.10(1), Pactl = par( ADactl) = par(AD^) = P%, sothatP simcq = P^ 3 . 
As a further consequence, by Corollary 6.9, any algorithm Alg simcq that computes simulation equivalence 
can be viewed as a partitioning abstraction of the {U, pre^}-complete shell refinement: 

Alg simcq (P) = par(^ {u , pre ^ } (M(P))). 

An instantiation of the generalized Paige-Tarjan-like procedure in [45] for the complete shell ^{u. pre } 
allows to design a new efficient abstract intepretation-based algorithm for computing simulation equiva- 
lence [46] whose space and time complexity is comparable with that of state-of-the-art algorithms like 
[5, 27]. 
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7.3.1 Preorders as Abstract Domains 

Simulations give rise to preorders rather than equivalences like in the case of bisimulations and dbs rela- 
tions. Thus, in order to characterize simulation for preorders as forward completeness for abstract domains 
we need to view preorders as abstract domains. This can be obtained by generalizing the abstraction in 
Section 3 from partitions to preorders. 

Let R G PreOrd(E) and for any ieE let us define R pro = {pre R ({x}) C E | x G E}. The preorder 
R gives rise to an abstract domain p(i? pre )c which is related to p(E)c through the following abstraction 
and concretization maps: 

a R (S) = {prc R ({x}) C E | x G S} lR (X) d = f U XeX X. 

It is easy to check that from the hypothesis that R is a preorder it follows that (an, p(E)c , p(i? prc )c , Jr) 
is indeed a GI. Hence, any R G PreOrd(E) induces an abstract domain denoted by ad d (i?) G Abs(p(E)). 
Also, note that 7^0 a R = pre R , namely pre^ is the closure associated to ad d (R). The notation ad d comes 
from the fact that an abstract domain A is equivalent to some ad d (i?) if and only if A is disjunctive. 

Lemma 7.6. {ad d (i?) G Abs(p(E)) | R G PreOrd(E)} = {A G Abs(p(E)) | A is disjunctive}. 

Proof. Observe that 7^ is trivially additive, so that any ad d (i?) is disjunctive. On the other hand, let 
A G Abs(p(E)) be disjunctive and consider the relation R A = {(x, y) \ a({x}) <a a({y})} which is 
trivially a preorder. Thus, a,d d (R A ) is disjunctive so that in order to conclude that ad d (i? A ) is equivalent to 
A it is enough to observe that for any y G E, pre^A ({y}) = j(a({y})): this is true because 7(a({j/})) = 
{xe-E\a({x})< A a({y})} = -pve R A({y}). □ 

Let us observe that ad d indeed generalizes ad p from partitions to preorders because for any P G 
Part(E), ad p (P) = ad d (_R): this is a simple consequence of the fact that for a partition P viewed as an 
equivalence relation and for x G E, P x is exactly a block of P so that ap(S) = {prep({x}) | x G S}. On 
the other hand, an abstract domain A G Abs(p(E)) induces a preorder relation prc-ord(A) G PreOrd(E) 
as follows: 

(x,y) G preord(A) iff a({x}) <a &({y}). 

It turns out that the maps ad d and preord allows to view the lattice of preorder relations as an abstraction 
of the lattice of abstract domains. 

Theorem 7.7. (preord, Abs(p(E)) a , PreOrd(E) 3 , ad d ). 

Proof. Let A G Abs(p(E)) and R G PreOrd(E). Let us prove that R C preord(A) <^ ad d (i?) C 7 o a. 
(=>■) Let S C E and let us show that ad d (i?)(S') = pre R (S) C j(a(S)). If x G pre R (S) then xRy for 
some y G 5, so that (x, y) G preord(A), i.e. <a a ({y})- Thus, by applying 7, x G 7(a({a;})) C 

7(«({y») C 7 («(5)). 

(•*=) Let (x, y) e R and let us show that a({x}) < a({y}). Note that x G prc fl ({y}) = ad d (i?) ({?/}) C 
7(a({j/})), so that a({x}) <a a({y}), namely (x, y) G preord(A). □ 

Let us remark that KJ = ad d o preord is a lower closure operator on (Abs(p(E)), C) and that, by 
Lemma 7.6, for any A G Abs(p(E)), A is disjunctive iff = A. Hence, D coincides with the 

disjunctive-shell refinement, also known as disjunctive completion [14], namely 3(A) is the most abstract 
disjunctive refinement of A. 

We can now provide a characterization of simulation preorders in terms of forward completeness. 

Theorem 7.8. Let R G PreOrd(E). Then, R is a simulation on JC iff ad d (i?) is forward complete for 
{p I p E AP} U {pTe^}. 

Proof. Recall that prc R is the closure associated to ad d (i?). We first observe that (sRs' => t(s') C £(s)) 
iff pre^j is forward complete for AP. On the one hand, if p G AP and s G prcjj.(p) then si?s' for some 
s' G p, so that, from t(s') C £(s), we obtain s G p, and therefore pre fl (p) = p. On the other hand, if 
si?s' and s' G p, for some p G AP, then s' G p = pre R (p) so that pre fl ({s'}) C pre fl (pre iJ (p)) = 
pre^(p) = p and therefore from s G pre H ({s'}) we obtain s G p. 
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Thus, it remains to show that R satisfies condition (2) of the definition of simulation iff prc^ is forward 
complete for pre^ . 

(=>) We prove that for any S, pre ij .(pre^(pre J? (S'))) C pre_ > (pre J j(5)). Let x £ pre fl (pre_ > (pre fl (S))) 
so that there exists some y £ pre^(pre fl (5)) such that xRy. If x-*x', for some x\ then, by simulation, 
there exists some y' such that y->y' and x'Ry'. Hence, y' £ pie R (S) and this together with x'Ry', as R is 
transitive, gives x' £ pre R (S). Therefore, x £ pre_ > (prej ? (S)). 

(<=) Observe that in order to show that R is a simulation it is enough to show that if xRy then x £ 
pre^(pre ij .(post^({y}))). The following implications hold, where post^({i/}) C prc fi (post^({y})) 
holds because pre R is a uco: 



post_ > ({y}) C pre fl (post_,({j/})) 
pTe^(post_ > ({y})) C pTe^(pre J? (post^({ 2 /}))) 

{y} C pre^(pre H (post^({y}))) =*> 
P r e fl ({y}) C pre i? (pTe^(pre fl (post_ > ({ 2 /})))) 
Wc R {{y}) C pre^(pre H (post^({y}))) 
x £ pre^(pre H (post^({j/}))) 

and this closes the proof. 

8 Related work 



[as pre^ is monotone] 
[as y £ pTe^(post^({y}))] 
[as prc R is monotone] 
[as pre R is forward complete for pre_J 
[as x £ WC R ({y})] 

□ 



Loiseaux et al. [39] generalized the standard approach to abstract model checking to more general ab- 
stract models where an abstraction relation a C States x A is used instead of a surjective function 
h : States — > A. However, the results of strong preservation given there (cf. [39, Theorems 3 and 4]) 
require the hypothesis that the relation a is difunctional, i.e. a = era -1 a. In this case the abstraction 
relation a can indeed be derived from a function, so that the class of strongly preserving abstract models 
in Loiseaux et al.'s framework is not really larger than the class of standard partition-based abstract models 
(see the detailed discussion by Dams et al. [20, Section 8.1]). 

Giacobazzi and Quintarelli [28] first noted that strong preservation is related to completeness in ab- 
stract interpretation by studying the relationship between complete abstract interpretations and Clarke et 
al.'s [6, 7, 8] spurious counterexamples. Given a formula ip of ACTL, a model checker running on a stan- 
dard abstract Kripke structure defined over a state partition P may provide a spurious counterexample 7r" 
for tp, namely a path of abstract states, namely blocks of P, which does not correspond to a real concrete 
counterexample. In this case, by exploiting the spurious counterexample 7r", the partition P is refined to P' 
by splitting a single block of P. As a result, this refined partition P' does not admit the spurious counterex- 
ample 7r" for if so that P' is given as a new refined abstract model for <p to the model checker. Giacobazzi 
and Quintarelli [28] cast spurious counterexamples for a partition P as a lack of (standard) completeness 
in the abstract interpretation sense for the corresponding partitioning abstract domain ad p (P). Then, by 
applying the results in [31] they put forward a method for systematically refining abstract domains in order 
to eliminate spurious counterexamples. The relationship between completeness and spurious counterex- 
amples was further studied in [18], where it is also shown that a block splitting operation in Paige and 
Tarjan [42] partition refinement algorithm can be characterized in terms of complete abstract interpreta- 
tions. More in general, the idea of systematically enhancing the precision of abstract interpretations by 
refining the underlying abstract domains dates back to the early works by Cousot and Cousot [14], and 
evolved to the systematic design of abstract interpretations by abstract domain refinements [26, 29, 31]. 

9 Conclusion 

This work shows how the abstract interpretation technique allows to generalize the notion of strong preser- 
vation from standard abstract models specified as abstract Kripke structures to generic domains in abstract 
interpretation. For any inductively defined language Jzf, it turns out that strong preservation of _£f in a 
standard abstract model checking framework based on partitions of the space state E becomes a particular 
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instance of the property of forward completeness of abstract domains w.r.t. the semantic operators of the 
language S£ . In particular, a generalized abstract model can always be refined through a fixpoint iteration 
to the most abstract domain that strongly preserves Jz? . This generalizes in our framework the idea of 
partition refinement algorithms that reduce the state space S in order to obtain a minimal abstract Kripke 
structure that is strongly preserving for some temporal language. 

This work deals with generic temporal languages consisting of state formulae only. As future work, 
it would be interesting to study whether the ideas of our abstract interpretation-based approach can be 
applied to linear languages like LTL consisting of formulae that are interpreted as sets of paths of a Kripke 
structure. The idea here is to investigate whether standard strong preservation of LTL can be generalized to 
abstract interpretations of the powerset of traces and to the corresponding completeness properties. Fairness 
can be also an interesting topic of investigation, namely to study whether our abstract interpretation-based 
framework allows to handle fair semantics and fairness constraints [10]. 

Finally, let us mention that the results presented in this paper led to design a generalized Paige-Tarjan 
refinement algorithm based on abstract interpretation for computing most abstract strongly preserving do- 
mains [45]. As shown in Section 6, a most abstract strongly preserving domain can be characterized as 
a greatest fixpoint computation in Abs(p(S)). It is shown in [45] that the Paige-Tarjan algorithm [42] 
can be viewed exactly as a corresponding abstract greatest fixpoint computation in Part(S). This leads to 
an abstract interpretation-based Paige-Tarjan-like refinement algorithm that is parameteric on any abstract 
interpretation of the lattice Abs(p(S)) of abstract domains of p(S) and on any generic inductive language 
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